user namespace and fully visible proc and sys mounts

From: Serge E. Hallyn
Date: Sun Mar 06 2016 - 03:28:35 EST

Next message: Ingo Molnar: "Re: [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups"
Previous message: Ingo Molnar: "Re: [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups"
Next in thread: Eric W. Biederman: "Re: user namespace and fully visible proc and sys mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

So we've been over this many times... but unfortunately there is more
breakage to report. Regular privileged and unprivileged containers
work all right for us. But running an unprivileged container inside a
privileged container is blocked.

When creating privileged containers, lxc by default does a few things:
it mounts some fuse.lxcfs files over procfiles include /proc/meminfo and
/proc/uptime. It mounts proc rw but /proc/sysrq-trigger ro as well as
moves /proc/sys/net out of the way, bind-mounts /proc/sys readonly
(because this container is not in a user namespace) then moves
/proc/sys/net back. Finally it mounts sys ro but bind-mounts
/sys/devices/virtual/net as writeable.

If any of these are left enabled, unprivileged containers can't be
started. If all are disabled, then they can be.

Can we find a way to make these not block remounts in child user
namespaces? A boot flag, a procfs and sysfs mount option, a sysctl?

-serge

Next message: Ingo Molnar: "Re: [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups"
Previous message: Ingo Molnar: "Re: [PATCH 00/10] x86: Various SYSENTER/SYSEXIT/#DB fixes and cleanups"
Next in thread: Eric W. Biederman: "Re: user namespace and fully visible proc and sys mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]