From: ebiederm@xmission.com (Eric W. Biederman)
To: Enrico Weigelt <lkml@metux.net>
Cc: "linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>
Subject: Re: plan9 semantics on Linux - mount namespaces
Date: Fri, 16 Feb 2018 12:26:59 -0600 [thread overview]
Message-ID: <87po54x024.fsf@xmission.com> (raw)
In-Reply-To: <5633d335-3926-d98f-d6d7-948b1e2a0b2c@metux.net> (Enrico Weigelt's message of "Tue, 13 Feb 2018 22:19:48 +0000")
Enrico Weigelt <lkml@metux.net> writes:
> On 13.02.2018 22:12, Enrico Weigelt wrote:
>
> CC @containers@lists.linux-foundation.org
>
>> Hi folks,
>>
>>
>> I'm currently trying to implement plan9 semantics on Linux and
>> yet sorting out how to do the mount namespace handling.
>>
>> On plan9, any unprivileged process can create its own namespace
>> and mount/bind at will, while on Linux this requires CAP_SYS_ADMIN.
>>
>> What is the reason for not allowing arbitrary users to create their
>> own private mount namespace ? What could go wrong here ?
suid root executables could be fooled. An easy case is fooling
/bin/su into reading a different copy of /etc/shadow, and allowing
arbitrary changes between users.
>> IMHO, we could allow mount/bind under the following conditions:
>>
>> * the process is in a private mount namespace
>> * no suid-flag is honored (either force all mounts to nosuid or
>> completely mask it out)
>> * only certain whitelisted filesystems allowed (eg. 9P and FUSE)
>>
>> Maybe that all could be enabled by a new capability.
>>
>>
>> any suggestions ?
User namespaces limit the contained processes to not having any
permissions outside of the user namespace. While still allowing the
fully unix permission model inside user namespaces.
I am in the final stages of getting the changes in the vfs and in fuse
to allow unprivileged users to mount that filesystem. plan9fs would
also be a candidate for that kind of treatment if it had a maintainer.
Eric
prev parent reply other threads:[~2018-02-16 18:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-13 22:12 plan9 semantics on Linux - mount namespaces Enrico Weigelt
2018-02-13 22:19 ` Enrico Weigelt
2018-02-13 22:27 ` Aleksa Sarai
2018-02-14 0:01 ` Enrico Weigelt
2018-02-14 4:54 ` Aleksa Sarai
2018-02-14 10:18 ` Enrico Weigelt
2018-02-14 10:24 ` Aleksa Sarai
2018-02-14 11:27 ` Enrico Weigelt
2018-02-14 11:30 ` Richard Weinberger
2018-02-14 12:38 ` Enrico Weigelt
2018-02-14 12:53 ` Richard Weinberger
2018-02-14 14:03 ` Enrico Weigelt
2018-02-14 14:19 ` Richard Weinberger
2018-02-14 15:02 ` Enrico Weigelt
2018-02-14 15:17 ` Richard Weinberger
2018-02-14 17:21 ` Enrico Weigelt
2018-02-14 17:50 ` Richard Weinberger
2018-02-14 18:01 ` Enrico Weigelt
2018-02-14 18:12 ` Richard Weinberger
2018-02-14 18:32 ` Enrico Weigelt
2018-02-14 20:39 ` Aleksa Sarai
2018-02-16 18:26 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87po54x024.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkml@metux.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox