Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device

From: Serge E. Hallyn
Date: Mon May 26 2014 - 21:36:43 EST

Next message: Namhyung Kim: "Re: [PATCH 13/14] perf tests: Add test for caching dso file descriptors"
Previous message: Joe Perches: "Re: [PATCH 5/4] get_maintainer: shut up perl critic"
In reply to: Seth Forshee: "Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device"
Next in thread: Michael H. Warfield: "Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Michael H. Warfield (mhw@xxxxxxxxxxxx):
> On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote:
> > On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > One question about this patch.
> > >
> > > Why don't you use the devices cgroup check if the root user in that namespace is allowed to use this device?
> > >
> > > This way you can be sure that the root in that namespace can not access devices to which the host system did not gave
> > > him access to.
>
> > That might be possible, but I don't want to require something on the
> > host to whitelist the device for the container. Then loop would need to
> > automatically add the device to devices.allow, which doesn't seem
> > desirable to me. But I'm not entirely opposed to the idea if others
> > think this is a better way to go.
>
> I don't see any safe way to avoid it. The host has to be in control of
> what devices can and can not be accessed by the container.

Disagree. loop%d is meaningless until it is attached to a file. So
whether a container can use loop2 vs loop9 is meaningless. The point
of Seth's loopfs as I understood it is that the container simply gets a
unique (not visible to host or any other containers) set of loop devices
which it can attach to files which it owns. So long as the host can't
see the container's loop devices (i.e. so it unwittently mounts it when
looking for a particular UUID for /var), it won't get fooled by them.

So in this case *if* we can do it, a purely namespaced approach - meaning
that we restrict visibility of a particular loopdev to one container - is
perfect.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Namhyung Kim: "Re: [PATCH 13/14] perf tests: Add test for caching dso file descriptors"
Previous message: Joe Perches: "Re: [PATCH 5/4] get_maintainer: shut up perl critic"
In reply to: Seth Forshee: "Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device"
Next in thread: Michael H. Warfield: "Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]