Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > Theodore Ts'o <tytso@xxxxxxx> writes: > > > On Wed, Apr 30, 2014 at 12:16:41AM +0000, Serge Hallyn wrote: > >> I forget the details, but there was another case where I wanted to > >> have the userns which 'owns' the whole fs available. I guess we'd > >> have to check against that instead of using inode_capable. > > > > Yes, that sounds right. > > > > And *please* tell me that that under no circumstances can anyone other > > than root@init_user_ns is allowed to use mknod.... > > Nope. mknod not allowed. capable(CAP_MKNOD) is required is required > and I can't see any reason to change that. > > As a rule of thumb, the only additional actions allowed in a user > namespace above and beyond what an ordinary unpriviliged user would be > allowed to do are those things which we only don't allow because they > could confuse a setuid root executable. > > > If we ever allow the creation of immutable files by unprivileged users > those files would at least have to be kept completely separate from the > files the global root encounters (aka a disjoint mount namespace). > > I do not currently see a path to safely using immutable files with just > user namespace root permission. It's very far off, but I think the path is: 1. at first mount of a blockdev, note the cred (or just userns) which mounted it 2. work on auditing superblock readers so we can start allowing some blockdev mounts in user namespaces :) 3. check for privilege against the userns owning a superblock -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
