| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <877eu8ibor.fsf@xmission.com>
Date: Wed, 29 Nov 2017 23:21:24 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Ian Kent <raven@...maw.net>
Cc: Linux Containers <containers@...ts.linux-foundation.org>,
linux-kernel@...r.kernel.org, Miklos Szeredi <mszeredi@...hat.com>,
linux-fsdevel@...r.kernel.org,
Seth Forshee <seth.forshee@...onical.com>
Subject: Re: [PATCH 0/2] userns: automount cleanups
Ian Kent <raven@...maw.net> writes:
> On 30/11/17 08:01, Eric W. Biederman wrote:
>>
>> While reviewing some code I realized that in getting d_automount working
>> with s_user_ns I had left behind some unnecessary relics of the blind
>> path I started down. Here are two patches that remove those relics.
>>
>> Unless someone has another preference I will drop them in my userns tree
>> and merge them that way.
>
> I saw the "<etc>->s_user_ns != &init_user_ns" and wondered if that would
> trigger for automount(8) run entirely with a container (eg. docker)?
autofs still needs FS_USERNS_MOUNT before you can reach that point. But
docker does have a mode ?--userns-remap? where it sets up the containers
mounts that way.
I think in principle that should work and be safe. I don't know how
robust autofs is against malicious users. Which is the question to ask
before actually adding FS_USERNS_MOUNT in struct file_system_type.
> Anyway, it's gone now, so ACK to these two, thanks Eric.
Eric
Powered by blists - more mailing lists