[Bug 120671] missing info about userns restrictions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.kernel.org/show_bug.cgi?id=120671

Michał Zegan <webczat_200@xxxxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|CODE_FIX                    |---

--- Comment #8 from Michał Zegan <webczat_200@xxxxxxxxxxxxxx> ---
Reopening because I confirmed the fact about filesystems not being mountable,
at least ext2. As I do not know kernel well enough to read sources, it would be
useful to have a list of filesystems that are mountable but I cannot write it,
I only know at least proc, devpts? tmpfs and cgroupv2 at least if cgroup
namespaces are enabled. All my words have to be verified to make sure i am not
wrong. Also someone should find any other restrictions user namespaces impose
if they exist because I do not know any.
To make you confident I tested filesystem mounting properly, I will paste my
terminal session after changing to english locale. :)
Logged in as my server's root and making user/mount/pid namespace.
[root@webczatnet ~]# unshare -rUpmf
[root@webczatnet ~]# fallocate -l 1M test
[root@webczatnet ~]# losetup /dev/loop0 test
[root@webczatnet ~]# mke2fs /dev/loop0
mke2fs 1.42.13 (17-May-2015)
Discarding device blocks: done                            
Creating filesystem with 1024 1k blocks and 128 inodes
Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done
[root@webczatnet ~]# mkdir x
[root@webczatnet ~]# mount /dev/loop0 x
mount: permission denied
[root@webczatnet ~]# exit
logout
[root@webczatnet ~]# mount /dev/loop0 x
[root@webczatnet ~]# umount x
[root@webczatnet ~]# rmdir x
[root@webczatnet ~]# losetup -d /dev/loop0
[root@webczatnet ~]# rm test

One comment: not sure why I can losetup from userns, like is it because I have
rw on loop0 as root is mapped to new userns root, or does it check
CAP_SYS_ADMIN in the new userns, or both?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux