lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140520142629.GI26600@ubuntumail>
Date:	Tue, 20 May 2014 14:26:29 +0000
From:	Serge Hallyn <serge.hallyn@...ntu.com>
To:	LXC development mailing-list 
	<lxc-devel@...ts.linuxcontainers.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	"Michael H. Warfield" <mhw@...tsEnd.com>,
	linux-kernel@...r.kernel.org, Jens Axboe <axboe@...nel.dk>,
	Arnd Bergmann <arnd@...db.de>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	James Bottomley <James.Bottomley@...senPartnership.com>
Subject: Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user
 namespaces

Quoting Serge Hallyn (serge.hallyn@...ntu.com):
> Quoting Seth Forshee (seth.forshee@...onical.com):
> > On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > > Quoting Seth Forshee (seth.forshee@...onical.com):
> > > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > > > Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> > > > > 
> > > > > > On Fri, May 16, 2014 at 01:49:59AM +0000, Serge Hallyn wrote:
> > > > > >> > I think having to pick and choose what device nodes you want in a
> > > > > >> > container is a good thing.  Becides, you would have to do the same thing
> > > > > >> > in the kernel anyway, what's wrong with userspace making the decision
> > > > > >> > here, especially as it knows exactly what it wants to do much more so
> > > > > >> > than the kernel ever can.
> > > > > >> 
> > > > > >> For 'real' devices that sounds sensible.  The thing about loop devices
> > > > > >> is that we simply want to allow a container to say "give me a loop
> > > > > >> device to use" and have it receive a unique loop device (or 3), without
> > > > > >> having to pre-assign them.  I think that would be cleaner to do using
> > > > > >> a pseudofs and loop-control device, rather than having to have a
> > > > > >> daemon in userspace on the host farming those out in response to
> > > > > >> some, I don't know, dbus request?
> > > > > >
> > > > > > I agree that loop devices would be nice to have in a container, and that
> > > > > > the existing loop interface doesn't really lend itself to that.  So
> > > > > > create a new type of thing that acts like a loop device in a container.
> > > > > > But don't try to mess with the whole driver core just for a single type
> > > > > > of device.
> > > > > 
> > > > > Yes. Something like devpts (without the newinstance option).  Built to
> > > > > allow unprivileged users to create loopback devices.
> > > > 
> > > > That's where I started, and I've got code, so I guess I'll clean it up
> > > > and send patches. If the stance is that only system-wide CAP_SYS_ADMIN
> > > > gets to do privileged block device ioctls, including reading partitions
> > > 
> > > Sorry, where did that come from?  What Eric was referring to below is
> > > the fs superblock readers not being trusted.  Maybe I glossed over another
> > > email where it was mentioned?
> > 
> > You must have. Take a look at [1].
> > 
> > To repeat the point: the ioctl to reread partitions (along with several
> > other block device ioctls) has a capable(CAP_SYS_ADMIN) check. We can't
> > change this to an ns_capable check without at minimum the block layer
> > knowing about the namespace associated with the block device. Ergo we
> 
> Which only means those changes are necessary :)
> 
> So far as I understand, a namespaced devtmpfs is nacked, but a loopfs
> is interesting (and, depending on the implementation, acceptable).  That
> necessarily includes the minimal blockdev changes to support it.
> 
> > can't reread paritions if this is done entirely within the loop driver
> > via a psuedo fs.
> > 
> > [1] http://article.gmane.org/gmane.linux.kernel.containers.lxc.devel/8191

Hm, yeah, I was confuddling two issues.  Nevertheless, for real block devices I
absolutely agree.  For loop devices I don't.  My answer to

> I don't think unpriviliged containers should be able to do partitioning.
> An unpriviliged user can't do that, so why should a container be any
> different?

would be that the loop device is a convenience built atop the backing image,
and if the user had the rights to loop-attach the backing image, he can
just as will partition using write(2), so why artificially plac this limit?

Nevertheless this is not really a debate worth having until we have a
blockdev fs mountable in a userns.

My main interest currently is with privileged containers.  I think we can
learn plenty from that for now.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ