"Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: > Hello Eric, > > On Fri, 2 Nov 2018 at 12:33, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > [...] > > Thanks for taking the time to reply at length! > >> My thoughts: >> a) I do forsee attacks >> b) Anyone can create a user namespace and then a mount namespace >> so I don't see the point of a set-UID-root program. >> c) The work to support mounting a filesystem in your own >> mount namespace owned by your own user namespace is essentially >> complete at this point. > > Re point (c), this includes mounts of block devices, right? fuseblk is not yet supported. The vfs level things are pretty much complete. The issue is that validating filesystems from attacks from below (aka corrupted block devices) is difficult. Sufficiently difficult that no one wants to support that on an in-kernel filesystem. So I don't expect a kernel implementation of a block device filesystems any time soon. A fuse driver can read/write the block device and present it as a filesystem. The bottom line is that with fuse, tmpfs, proc, and sysfs working the interesting bits are pretty much done. >> Michael do we need to update the man pages somewhere to document that >> you can now mount fuse filesystems in any mount namespace? > > That would be great. Perhaps this belongs in user_namesapces(7) (or > perhaps mount_namespaces(7)). But I need some help with the text... If you can help point me at the proper location. I will be happy to help. Perhaps as part of my prepartion for my talk at LPC on unprivileged mounts I can find the time. Eric
