Re: [Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 05, 2013 at 02:47:25PM -0700, Eric W. Biederman wrote:

[..]
> >> An important detail to look at is mount propagation, especially on
> >> fedora.  You need to make all of your mounts private to make certain
> >> mounts don't propogate out and possibly take some defensive measures
> >> to keep mounts or umounts from propogating in.  Remount /proc
> >> and /sys should be enough to defend against that but it is worth
> >> thinking about.
> >
> > Hi Eric,
> >
> > I do make /sbin/kexec's mount namespace private recursively so that no
> > mount events are propagated in/out.
> >
> > +	 * make root private so that no mount event from previous
> > namespace
> > +	 * are propogated
> > +	 */
> > +	ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
> > +	if (ret == -1) {
> > +		fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
> > +					strerror(errno));
> > +		return -1;
> > +	}
> 
> That prevents transmission but my previous read of the code says you
> will still receive mount changes, for mount points the parent shares.
> Which are all of them in the world of systemd, last I heard.

Hi Eric,

I think I am not understanding something very basic. I am not sure what do
you mean by "still receive mount changes for mount points the parent shares".
I tried following.

- Open a terminal
- mkdir /tmp/kexec-proc
- mount -t proc none /tmp/kexec-proc
- Now open another terminal and launch a bash shell with separate mount
  namespace
  unshare -m bash
- In the new bash shell  I can see that proc is mounted on /tmp/kexec-proc
- In the new bash shell, make / private recursively.
  mount --make-rprivate /
- Now in original bash shell unmount /tmp/kexec-proc
- I go back to new bash and there /tmp/kexec-proc is still mounted. So
  changes to original mount namespace did not reflect in this new one. I
  am assuming same will happen when systemd does some changes to initial
  mount namespace and they should not be visible in /sbin/kexec mount
  namespace.

Looks like I am entirely missing the point you are making. Can you please
elaborate a bit.

Thanks
Vivek
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux