Re: [PATCH] private mounts
From: Jamie Lokier
Date: Sat Apr 30 2005 - 18:56:53 EST
Miklos Szeredi wrote:
> > But you don't need a new system call to bind an fd.
> >
> > "mount --bind /proc/self/fd/N mount_point" works, try it.
>
> Ahh, yes :)
>
> Still proc_check_root() has to be relaxed, to allow dereferencing link
> under a different namespace.
Not necessary.
Why not have the FUSE daemon keep open a file descriptor for the
directory it's mounted on, and have it sent that to new would-be
mounters of the same directory using a unix domain socket (rather as
Pavel suggested)?
> Maybe the check should be skipped for
> capable(CAP_SYS_ADMIN) or similar.
No. The check is to prevent processes in chroot jails from accessing
directories outside their jail. Even CAP_SYS_ADMIN processes must be
forbidden from doing that.
But proc_check_root is unnecessarily strict, in that it prevents a
process from traversing into a "child" namespace.
IMHO, a better security restriction anyway would be for processes in
chroot jails to not be able to see processes outside the jail in /proc
- only processes inside the jail should be visible. I think everyone
agrees that would be best.
If that were implemented, then proc_check_root would be redundant and
could be removed entirely.
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/