Hi, On Thu, May 24, 2018 at 1:22 AM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Very slowly the work has been progressing to ensure the vfs has the > necessary support for mounting filesystems without privilege. > > This patchset contains one more core piece of that work, ensuring a few > more operations that would write back an inode and confuse an exisiting > filesystem are denied. > > The rest of the changes actually enable userns root to do things with > filesystems that the userns root has mounted. Most of these have been > waiting in the wings a long time, held back because I wanted the core > of the patchset to be solid before I started allowing additional > behavor. > > It is definitely time for these changes so the effect of s_user_ns > becomes less theoretical. > > The change to allow mknod is new, but consistent with everything else > and harmless as device nodes on filesystems mounted without privilege > are ignored. > > Unless problems show up in the during review I plan to merge these changes. Thank you for the great work. I have been looking forward to seeing it. I have just gathered available relevant patches in my branch: https://github.com/kinvolk/linux/tree/dongsu/fuse-userns-for-4.18 With this branch, I tested sshfs/fuse from non-init user namespace. It works fine as expected. So you can add: Tested-by: Dongsu Park <dongsu@xxxxxxxxxx> Thanks! Dongsu > These changes are also available at: > git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git userns-test > > Eric W. Biederman (5): > vfs: Don't allow changing the link count of an inode with an invalid uid or gid > vfs: Allow userns root to call mknod on owned filesystems. > fs: Allow superblock owner to replace invalid owners of inodes > fs: Allow superblock owner to access do_remount_sb() > capabilities: Allow privileged user in s_user_ns to set security.* xattrs > > Seth Forshee (1): > fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems > > fs/attr.c | 36 ++++++++++++++++++++++++++++-------- > fs/ioctl.c | 4 ++-- > fs/namei.c | 16 ++++++++++++---- > fs/namespace.c | 4 ++-- > security/commoncap.c | 8 ++++++-- > 5 files changed, 50 insertions(+), 18 deletions(-) > > Eric > _______________________________________________ > Containers mailing list > Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx > https://lists.linuxfoundation.org/mailman/listinfo/containers
