From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933888AbcAYUKy (ORCPT ); Mon, 25 Jan 2016 15:10:54 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:38477 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757327AbcAYUKr (ORCPT ); Mon, 25 Jan 2016 15:10:47 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Seth Forshee Cc: linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, fuse-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Alexander Viro , Serge Hallyn , Richard Weinberger , Austin S Hemmelgarn , Miklos Szeredi , linux-kernel@vger.kernel.org References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com> <20160125194722.GA10638@ubuntu-hedt> Date: Mon, 25 Jan 2016 14:01:22 -0600 In-Reply-To: <20160125194722.GA10638@ubuntu-hedt> (Seth Forshee's message of "Mon, 25 Jan 2016 13:47:22 -0600") Message-ID: <87mvrtqvhp.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1+zosg5K+p3lcsKvssi1rha6K8bFOV7MBM= X-SA-Exim-Connect-IP: 97.121.81.63 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Seth Forshee X-Spam-Relay-Country: X-Spam-Timing: total 791 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.5 (0.4%), b_tie_ro: 2.4 (0.3%), parse: 0.68 (0.1%), extract_message_metadata: 12 (1.6%), get_uri_detail_list: 2.2 (0.3%), tests_pri_-1000: 3.0 (0.4%), tests_pri_-950: 1.22 (0.2%), tests_pri_-900: 1.03 (0.1%), tests_pri_-400: 27 (3.4%), check_bayes: 26 (3.3%), b_tokenize: 8 (1.0%), b_tok_get_all: 10 (1.2%), b_comp_prob: 2.7 (0.3%), b_tok_touch_all: 3.6 (0.4%), b_finish: 0.66 (0.1%), tests_pri_0: 734 (92.8%), check_dkim_signature: 0.48 (0.1%), check_dkim_adsp: 4.5 (0.6%), tests_pri_500: 4.8 (0.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH RESEND v2 00/19] Support fuse mounts in user namespaces X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Seth Forshee writes: > On Mon, Jan 04, 2016 at 12:03:39PM -0600, Seth Forshee wrote: >> These patches implement support for mounting filesystems in user >> namespaces using fuse. They are based on the patches in the for-testing >> branch of >> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git, >> but I've rebased them onto 4.4-rc3. I've pushed all of this to: >> >> git://git.kernel.org/pub/scm/linux/kernel/git/sforshee/linux.git fuse-userns >> >> The patches are organized into three high-level groups. >> >> Patches 1-6 are related to security, adding restrictions for >> unprivileged mounts and updating the LSMs as needed. Patches 1-2 >> (checking inode permissions for block device mounts) may not be strictly >> necessary for fuseblk mounts since fuse doesn't do any IO on the block >> device in the kernel, but it still seems like a good idea to fail the >> mount if the user doesn't have the required permissions for the inode >> (though this is a bit misleading with fuse since the mounts are done via >> a suid-root helper). >> >> Patches 7-14 update most of the vfs to translate ids correctly and deal >> with inodes which may have invalid user/group ids. I've omitted patches >> for anything not used by fuse - quota, fs freezing, some helper >> functions, etc. - but if these are wanted for the sake of completeness I >> can include them. >> >> Patches 15-18 update fuse to deal with mounts from non-init pid and user >> namespaces and enable mounting from user namespaces. >> >> Changes since v1: >> - Drop patch for FIBMAP. >> - Use current_in_userns in fuse_allow_current_process. >> - Remove checks for uid/gid validity in fuse. Intead, ids from the >> backing store which do not map into s_user_ns will result in invalid >> ids in the vfs inode. Checks in the vfs will prevent unmappable ids >> from being passed in from above. >> - Update a couple of commit messages to provide more detail about >> changes. > > Now that the merge window is over, I'm wondering whether it might be > possible to get some feedback on these patches this cycle? Definitely. Apologies for not giving you much feedback earlier. I had been hoping this was the kind of thing I could just double check to be certain you weren't doing anything silly and just apply. After my last round of looking at this I realized that for me to be comfortable with these patches I will have to give them very close scrutiny, and check every detail. Unfortunatly last cycle I had failed to budget enough time to give these patches the close scrutiny they need. >>From a high level I am still very much in favor of this approach and at least getting as far as safe unprivileged fuse mounts. I have one or two little things to look at and then I hope to be going through your patches one by one in detail. Eric