On Wed, Nov 11, 2015 at 10:24:33AM -0600, Eric W. Biederman wrote: > Nikolay Borisov <n.borisov@xxxxxxxxxxxxxx> writes: > > > Hello Eric, > > > > I'd like to ask you what it would take to have proper support of Fuse > > inside usernamespaces. I've looked through the code of fuse and I can > > see some things are specifically coded to prevent creating a mount > > inside userns. E.g. hard-coded usage of init_user_ns or the check > > inside fuse_fill_super to make sure the fd is obtained from the > > init_user_ns. I have also read your argument here: > > https://lkml.org/lkml/2012/11/12/591 > > > > So I'm interested in knowing the following: > > * Are you still actively working on making fuse mountable in non-root > > userns, if not is the partial patch available somewhere? I might be > > able to do some work on that and hopefully make it upstreamable. > > Yes. > > > * If the code is not available can you explain what are the main > > hurdles in getting this to work? In my experiments I;ve hacked fuse > > and I'm able to mount glusterfs inside an LXC container but I suspect > > I might have broken some subtle security aspect :) > > The subtle security aspect is definitely where things get tricky. > > fuse is unique compared to the existing filesystems that we can mount in > a user namespace in that it has an untrusted backing store. Dealing > with an untrusted backing store raises some new challenges with respect > to the vfs, etc. > > The current plan is to deal with all of the weird tricky generic issues > in the vfs, and then add support for fuse. Solving the backing store > issues generically instead of a fuse specific way pushes the > conversation to the right places and with the appropriate people. > > Seth Forshe has put in a lot of work to make this happen, and his > changes are almost there. I had hoped to just do a quick review of his > work and merge the code this last kernel development cycle. > Unfortunately the issues are vast enough and subtle enough that it is > easy to drop a detail or two. So I figure a very close review of what > Seth has done is needed so that we do not introduce new issues. > > Hopefully colds etc won't preven that from happening this cycle. Here's where you can find that code: git://kernel.ubuntu.com/sforshee/linux.git userns-mounts Seth _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
