From: ebiederm@xmission.com (Eric W. Biederman)
To: mtk.manpages@gmail.com
Cc: Rob Landley <rob@landley.net>,
linux-man <linux-man@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
Vasily Kulikov <segoon@openwall.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
luto@amacapital.net
Subject: Re: For review (v2): user_namespaces(7) man page
Date: Thu, 28 Mar 2013 19:21:51 -0700 [thread overview]
Message-ID: <87ehez2beo.fsf@xmission.com> (raw)
In-Reply-To: <CAKgNAkjgmTJ1BiHVbqVtz-g-=yfewMiYaroDJELJpa1aRrFAvQ@mail.gmail.com> (Michael Kerrisk's message of "Wed, 27 Mar 2013 22:26:07 +0100")
Over the last little while I have been working to correct a design
oversight in user namespaces, that probably needs to be documented
somewhere, and the fixes for the worst of the oversight have been
merged.
The problem was I forgot to consider what when there are shared
resources and root uses things like chroot and mounts as access policy
controls, and not as a mechanism to prevent the gaining of privilege.
This has led to the realization that the root directory is one of the
privileged identifiers that is controlled by the user namespace.
So now there is a restriction that user namespaces can not be created
if you are chrooted.
Beyond that there are restrictions on what you can do in a mount
namespace created inside a user namespace. Read-only bind mounts
may not be remounted to read-write. The mqueue filesystem may only be
mounted if you have CAP_SYS_ADMIN over it's ipc namespace. proc and
sysfs may only be mounted if they are already somewhere in the mount
namespace.
There is a remaining open question on what to allow in the context of
unmounting and bind mounts. In the normal case unmounting something is
safe because mounts almost always happen on an empty directory. The
only significant case that I can think of where this is different are
union mounts and union filesystems. However the general principle of
following the restrictions of the root user makes suggests that unmounts
should not happen.
In the grand scheme of things these are small little things but they are
details we need to get right so that enabling user namespaces is no
worse that adding any other feature to the kernel. In the worst case
just adding more attack surface for the bad guys, but not a matter of
risk semantically.
Eric
next prev parent reply other threads:[~2013-03-29 2:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-27 21:26 For review (v2): user_namespaces(7) man page Michael Kerrisk (man-pages)
2013-03-28 12:13 ` Eric W. Biederman
2013-03-29 2:21 ` Eric W. Biederman [this message]
2013-04-25 7:48 ` richard -rw- weinberger
2013-04-26 0:54 ` Eric W. Biederman
2013-04-26 5:48 ` richard -rw- weinberger
2013-04-29 20:21 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ehez2beo.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=rob@landley.net \
--cc=segoon@openwall.com \
--cc=serge.hallyn@ubuntu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox