Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility

Next message: Andrew Lunn: "Re: [RFC net-next v3 2/3] net: ethernet: mtk_eth_soc: Add RSS support"
Previous message: Sergey Matyukevich: "[PATCH v5 9/9] selftests: riscv: verify ptrace accepts valid vector csr values"
In reply to: Dan Klishch: "Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility"
Next in thread: Dan Klishch: "Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexey Gladkov

Date: Sun Dec 14 2025 - 11:40:41 EST

On Sat, Dec 13, 2025 at 01:00:38PM -0500, Dan Klishch wrote:
> > It is much easier to implement file access
> > restrictions in procfs using an ebpf controller.
>
> But if we already have a masked /proc from podman/docker/user who
> decided to run `mount --bind /dev/null /proc/smth`, the sandbox will
> not have a choice other than to bail out.

I misunderstood you. I thought you were writing your own container
implementation.

Yes, if you want a nested container inside docker/podman, then file
overmount technique is already used there.

But then, if I understand you correctly, this patch will not be enough
for you. procfs with subset=pid will not allow you to have /proc/meminfo,
/proc/cpuinfo, etc.

> Also, correct me if I am wrong, installing ebpf controller requires
> CAP_BPF in initial userns, so rootless podman will not be able to mask
> /proc "properly" even if someone sends a patch switching it to ebpf.

You can turn on /proc/sys/kernel/unprivileged_bpf_disabled.

--
Rgrds, legion