From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754489AbbCaNHi (ORCPT <rfc822;w@1wt.eu>);
	Tue, 31 Mar 2015 09:07:38 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:59633 "EHLO
	bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754466AbbCaNHd (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 31 Mar 2015 09:07:33 -0400
Message-ID: <1427807248.2117.117.camel@HansenPartnership.com>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Alexander Larsson <alexl@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>, gnome-os-list@gnome.org,
        Linux Containers <containers@lists.linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        mclasen@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>
Date: Tue, 31 Mar 2015 16:07:28 +0300
In-Reply-To: <1427788642.4411.12.camel@redhat.com>
References: <b321c0c2729d1c2a72aea319b077dce7afd79698.1424480579.git.luto@amacapital.net>
	 <CALCETrVtGE8LdBCFTe1_cqpLf=SxPNX5iCe5wa-hZ0pe8ps_jA@mail.gmail.com>
	 <1427447013.2250.9.camel@HansenPartnership.com>
	 <1427788642.4411.12.camel@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2015-03-31 at 09:57 +0200, Alexander Larsson wrote:
> On fre, 2015-03-27 at 10:03 +0100, James Bottomley 
> > 
> > > On Fri, Feb 20, 2015 at 5:04 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> > > > It's currently impossible to mount devpts in a user namespace that
> > > > has no root user, since ptmx can't be created.
> > 
> > This is where I stopped reading because it's not true ... because it is
> > possible, you just do it from the host as real root.
> 
> The point is being able to set up a container as a user, not requiring
> the setup to be run as root at all. In my case container is a desktop
> application which will be started by the user, and will run as the user.
> There is no root involved in the call chain at all.

I don't really like that use case:  Most container setups are under the
control of an orchestration system (like LXC, OpenVZ or even Docker).
You typically get the orchestration system to do the dangerous
operations (mount being one of the bigger dangers) because it has the
capacity to vet them.  I can see the value in allowing a user to set up
a container without an oversight system, but at the same time you're
increasing the security vulnerability of the system.  Security is often
a result of policy, so now this embeds policy into the kernel.  I
strongly feel we should define the list of things we expect an
unsupervised (as in with no orchestration system) container to do and
then revisit this once we've given it some thought.

James