Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > > > Since we have strict control on who access the devices, it should be > > no problem to allow the device to appear. > > Having cgroups or user namespaces grant privileges makes me uneasy. > > With these patches it looks like I can do something evil like. > > 1. Create a devcgroup. > 2. Put a process in it. > 3. Create a usernamespace. > 4. Run a container in that user namespace. > 5. As an unprivileged user in that user namespace create another user namespace. > 6. Call mknod and have it succeed. not if the devcgroup forbids it. > Or in short I don't think this handles nested user namespaces at all. > With or without Serge's suggested change. Yeah my change doesn't help, other than to stop the unpriv user from creating the device in an fs he doesn't own... > At a practical level now is not the right time to be granting more > permissions to user namespaces. Lately too many silly bugs have been > found in what is already there. I agree. I realize this doesn't help the centos old-udev situation, but otherwise bind mounting device files works fine, so I agree we should wait. Sorry. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
