Re: [CFT][PATCH 0/10] Making new mounts of proc and sysfs as safe as bind mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 14, 2015 at 12:30:45PM -0500, Eric W. Biederman wrote:
> 
> The code is currently available at:
> 
>    git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing
> 
>    HEAD: a524faf520600968e58bbc732063fccf2fdf9199 mnt: Update fs_fully_visible to test for permanently empty directories
> 
> The problem:  Mounting a new instance of proc of sysfs can allow things
> that a bind mount of those filesystems would not.
> 
> That is the cases I am dealing with are:
>      unshare --user --net --mount ; mount -t sysfs ...
>      unshare --user --pid --mount ; mount -t proc ...
> 
> The big change is that this set of changes enforces the preservation of
> locked mount flags, from the existing mount to the current mount.  Which
> means that if proc was mounted read-only the current current will allow
> a new instance of proc to be mounted read-write, and this set of changes
> enforces that proc remain read-only.
> 
> The other gotcha is that the current code does not properly detect empty
> directories so to prevent things slipping through the cracks this set of
> changes annotates all mount points where nothing will be revealed if
> the filesystem mounted on top is removed.
> 
> Enforcing the administrators policy can actually matter in the real
> world as has been shown by the recent docker issue.
> 
> With this patchset I have two concerns:
> - The enforcement of mount flag preservation on proc and sysfs may break
>   things.  (I am especially worried about the implicit adding of nodev).

What do you mean by this?  What got added?

> - I missed a filesystem mountpoint on proc or sysfs which would make a
>   fresh copy unmountable for no good reason.
> 
> I don't want to break userspace if I can help it, and the code has been
> this way for a while so I figure there is time to find any pitfalls and
> address them before this code gets merged.
> 
> So if this works for you please give me your Tested-By
> 
> The well known mountpoints for pseudo filesystems that I could find are:
> /dev/ffs*/                 functionfs
> /dev/gadget/               gadgetfs
> /dev/mqueue                mqueue
> /dev/oprofile/             oprofilefs
> /dev/pts/                  devpts

/dev/shm gets a tmpfs, right?  Or do those not matter here?

> /dlm/                      ocfs2_dlmfs
> /ipath/                    ipathfs
> /proc/fs/nfsd/             nfsd
> /proc/openprom/            openpromfs
> /proc/sys/fs/binfmt_misc/  binfmt_misc
> /spu/                      spufs

> /sys/firmware/efi/efivars/ efivarfs
> /sys/fs/cgroup/            cgroup
> /sys/fs/fuse/connections/  fusectl

I thought fuse mounted a few more things in here, but I don't know for
sure.

> /sys/fs/pstore/            pstore
> /sys/fs/selinux/           selinuxfs
> /sys/fs/smackfs/           smackfs
> /sys/hypervisor/s390/      s390_hypfs
> /sys/kernel/config/        configfs
> /sys/kernel/debug/         debugfs
> /sys/kernel/security/      securityfs
> /sys/kernel/tracing/       tracefs

I think these are all correct for sysfs, I have a minor comment on the
sysfs patch I'll make in it.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux