Re: [PATCH] fs: Treat non-ancestor-namespace mounts as MNT_NOSUID

From: Andy Lutomirski
Date: Tue Oct 14 2014 - 18:13:41 EST

On Tue, Oct 14, 2014 at 3:07 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman

>>> Seth, this should address a problem that's related to yours. If a
>>> userns creates and untrusted fs (by any means, although admittedly fuse
>>> and user namespaces don't work all that well together right now), then
>>> this prevents shenanigans that could happen when the userns passes an fd
>>> pointing at the filesystem out to the root ns.
>> Andy for now I really think we are best not even reading those
>> capabilities into the vfs from unprivileged mounts.
> But won't we want to support letting userns containers create setuid
> files and security labels using FUSE and related things for their own
> benefit someday? This lets us do that without compromising the init
> namespace.

More concretely, root in a userns should be able to have a
setuid-whomever or security-labeled file, and another user in that
userns should be able to exec it and transition. But, if you're
outside the userns, then:

$ /proc/PID_IN_USERNS/root/path/to/labeled/file

shouldn't transition.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at