Dongsu, Am Samstag, 23. Dezember 2017, 13:18:30 CET schrieb Dongsu Park: > Hi, > > On Fri, Dec 22, 2017 at 10:06 PM, Richard Weinberger > > <richard.weinberger@xxxxxxxxx> wrote: > > Dongsu, > > > > On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park <dongsu@xxxxxxxxxx> wrote: > >> From: Seth Forshee <seth.forshee@xxxxxxxxxxxxx> > >> > >> Unprivileged users should not be able to mount mtd block devices > >> when they lack sufficient privileges towards the block device > >> inode. Update mount_mtd() to validate that the user has the > >> required access to the inode at the specified path. The check > >> will be skipped for CAP_SYS_ADMIN, so privileged mounts will > >> continue working as before. > > > > What is the big picture of this? > > Can in future an unprivileged user just mount UBIFS? > > I'm not sure I'm aware of all use cases w.r.t mtd & ubifs. > To my understanding, in these days many container runtimes allow > unprivileged users to run containers. (docker, lxc, runc, bubblewrap, etc) > That's why the kernel should deal with additional permission checks > that might have not been necessary in the past. > This MTD patch is one of those special cases. My fear is that a corner case is forgotten and all of a sudden someone can do funky things with MTD in a container... Thanks, //richard _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
