On Tue, Oct 14, 2014 at 3:07 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman >>> Seth, this should address a problem that's related to yours. If a >>> userns creates and untrusted fs (by any means, although admittedly fuse >>> and user namespaces don't work all that well together right now), then >>> this prevents shenanigans that could happen when the userns passes an fd >>> pointing at the filesystem out to the root ns. >> >> Andy for now I really think we are best not even reading those >> capabilities into the vfs from unprivileged mounts. > > But won't we want to support letting userns containers create setuid > files and security labels using FUSE and related things for their own > benefit someday? This lets us do that without compromising the init > namespace. More concretely, root in a userns should be able to have a setuid-whomever or security-labeled file, and another user in that userns should be able to exec it and transition. But, if you're outside the userns, then: $ /proc/PID_IN_USERNS/root/path/to/labeled/file shouldn't transition. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
