Re: [RFC][PATCH] rbind across namespaces

[Miklos Szeredi]

> > What's more you don't even need /proc, just pass a file descriptor
> > (with reference to mount in different namespace, etc.) to another
> > process with SCM_RIGHTS, do fchrdir(fd), and then do mount --bind,
> > etc.  This actually works with an unmodified kernel.
> 
> It shouldn't.  An unmodified kernel has check_mnt to keep you from doing 
> this.

Common misconception.  Even Al Viro fell for it, even though it was he
who wrote the code :)

What is not allowed is that the _new_ mountpoint is in a different
namespace.  The _old_ mount can actually come from a different
namespace or a detached mount in a bind (not an rbind though).

Again experimentally verified.

The check_mnt() function is not a security measure, rather a locking
measure.  Current code in namespace protects modification of the mount
tree with current->namespace->sem.  The check_mnt() calls are needed,
so that the namespace to be modified is really the current namespace.

This limitation can actually be removed.  See patch by Ram Pai posted
earlier in this thread:

  http://marc.theaimsgroup.com/?l=linux-kernel&m=111683338801090&w=2

The code can be generalized for other types of mounts, not just bind.

With that and allowing access to /proc/self/fd/*, I think we'll have a
proper interface for passing mounts between namespaces.

The mount groups idea is orthogonal to this I think, and I'll send
comments in a separate mail.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/