From: ebiederm@xmission.com (Eric W. Biederman)
To: Lubomir Rintel <lkundrak@v3.sk>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: 4.2: Can't mount sysfs in a mount ns & user ns
Date: Thu, 13 Aug 2015 10:20:09 -0500 [thread overview]
Message-ID: <87r3n71ahi.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <1439452396.23299.33.camel@v3.sk> (Lubomir Rintel's message of "Thu, 13 Aug 2015 09:53:16 +0200")
Lubomir Rintel <lkundrak@v3.sk> writes:
> Hi,
>
> 4.0.6-300.fc22.x86_64:
> [lkundrak@fedora22-1 ~]$ unshare -r --mount --net
> [root@fedora22-1 ~]# mount --make-slave /sys
> [root@fedora22-1 ~]# mount -t sysfs sysfs /sys
> [root@fedora22-1 ~]#
>
> 4.2.0-0.rc6.git0.1.fc24.x86_64:
> [lkundrak@fedora23-1 ~]$ unshare -r --mount --net
> [root@fedora23-1 ~]# mount --make-slave /sys
> [root@fedora23-1 ~]# mount -t sysfs sysfs /sys
> mount: permission denied
> [root@fedora23-1 ~]#
>
> we use this in NetworkManager test suite, to ensure the devices we see
> via GUdev are the same as we see via rtnetlink.
>
> I'm wondering if this is a bug or an intended change?
There was an intentional tightening up of the permissions required to
mount sysfs to prevent people in jails from gaining access to things
they would not ordinarily have access to. The change was not expected
to affect anyones legitimate use case.
What are the mount flags of the previous mount of sysfs?
What is mounted on top of sysfs?
Or in short can I see /proc/self/mounts for the failing scenario?
Without a little more detail I can't see if there is a possible security
violation in your code or if this is something I can fix.
Eric
next prev parent reply other threads:[~2015-08-13 15:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-13 7:53 4.2: Can't mount sysfs in a mount ns & user ns Lubomir Rintel
2015-08-13 15:20 ` Eric W. Biederman [this message]
2015-08-13 16:07 ` Lubomir Rintel
2015-08-13 16:17 ` Eric W. Biederman
2015-08-14 13:21 ` [PATCH] kdbus: create /sys/fs/kdbus with sysfs_create_mount_point() Lubomir Rintel
2015-08-17 17:23 ` David Herrmann
2015-08-17 20:52 ` Josh Boyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r3n71ahi.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lkundrak@v3.sk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox