Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
>
> There is no backing store to ramfs and file creation
> rules are the same as for any other filesystem so
> it is semantically safe to allow unprivileged users
> to mount it.
>
> The memory control group successfully limits how much
> memory ramfs can consume on any system that cares about
> a user namespace root using ramfs to exhaust memory
> the memory control group can be deployed.
But that does mean that to avoid this new type of attack, when handed a
new kernel (i.e. by one's distro) one has to explicitly (know about and)
configure those limits. The "your distro should do this for you"
argument doesn't seem right. And I'd really prefer there not be
barriers to user namespaces being compiled in when there don't have to
be.
What was your thought on the suggestion to only allow FS_USERNS_MOUNT
mounts by users confined in a non-init memory cgroup?
Alternatively, what about a simple sysctl knob to turn on
FS_USERNS_MOUNTs? Then if I've got no untrusted users I can just turn
that on without the system second-guessing me for not having extra
configuration...
>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
> ---
> fs/ramfs/inode.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/fs/ramfs/inode.c b/fs/ramfs/inode.c
> index eab8c09..c24f1e1 100644
> --- a/fs/ramfs/inode.c
> +++ b/fs/ramfs/inode.c
> @@ -260,6 +260,7 @@ static struct file_system_type ramfs_fs_type = {
> .name = "ramfs",
> .mount = ramfs_mount,
> .kill_sb = ramfs_kill_sb,
> + .fs_flags = FS_USERNS_MOUNT,
> };
> static struct file_system_type rootfs_fs_type = {
> .name = "rootfs",
> --
> 1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
