Re: [PATCH] fs: Treat non-ancestor-namespace mounts as MNT_NOSUID
From: Andy Lutomirski
Date: Tue Oct 14 2014 - 18:13:41 EST
On Tue, Oct 14, 2014 at 3:07 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman
>>> Seth, this should address a problem that's related to yours. If a
>>> userns creates and untrusted fs (by any means, although admittedly fuse
>>> and user namespaces don't work all that well together right now), then
>>> this prevents shenanigans that could happen when the userns passes an fd
>>> pointing at the filesystem out to the root ns.
>>
>> Andy for now I really think we are best not even reading those
>> capabilities into the vfs from unprivileged mounts.
>
> But won't we want to support letting userns containers create setuid
> files and security labels using FUSE and related things for their own
> benefit someday? This lets us do that without compromising the init
> namespace.
More concretely, root in a userns should be able to have a
setuid-whomever or security-labeled file, and another user in that
userns should be able to exec it and transition. But, if you're
outside the userns, then:
$ /proc/PID_IN_USERNS/root/path/to/labeled/file
shouldn't transition.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/