On fre, 2015-02-20 at 17:05 -0800, Andy Lutomirski wrote:
> On Fri, Feb 20, 2015 at 4:43 PM, Andy Lutomirski <[email protected]> wrote:
> > On Fri, Feb 20, 2015 at 4:31 PM, Eric W. Biederman
> > <[email protected]> wrote:
> >> Andy Lutomirski <[email protected]> writes:
> >>
> >>> On Thu, Feb 19, 2015 at 8:38 AM, Alexander Larsson <[email protected]>
> >>> wrote:
> >>>> On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote:
> >>>>
> >>>>> - setuid / privileged helper. Why do you need a privileged helper?
> >>>>> You should be able to do all of this using user namespaces. The
> >>>>> Sandstorm code linked above does exactly this.
> >>>>
> >>>> I tried this a bit, but i ran into two snags i don't understand.
> >>>>
> >>>> First of all, as uid/gid 1000 i can put "1000 1000 1"
> >>>> in /proc/self/uid_map from the child. However, i cannot put "1000 1000
> >>>> 1" into gid_map, as i get EPERM.
> >>>> I don't understand this, is this not supposed to work?
> >>>
> >>> You need newer manpages :-/ Try the attached variant.
> >>
> >> Yeah. You need to disable setgroups for that to work.
> >>
> >>>> Secondly, i'm failing to mount another instance of devpts. It fails with
> >>>> EINVAL.
> >>>
> >>> Hmm. Off the top of my head, there's no good reason that devpts with
> >>> the newinstance option couldn't be allowed in a userns. Eric, any
> >>> thoughts here? The patch would be straightforward.
> >>
> >> Looking at the code you have to have uid 0 and gid 0 mapped and you have
> >> to specify newinstance. But devepts is mountable without being the
> >> global root user.'
> >
> > Wow, my grepping skills are nonexistent today.
> >
> >>
> >> The restriction of having uid 0 and gid 0 mapped is just that /dev/ptmx is
> >> and has alwasy been owned by root and so mknod_ptmx just won't let you
> >> create a device inode as with a uid or gid you can't map.
> >
> > All we'd have to do is to add ptmx_uid and ptmx_gid options, right?
> > I'll send a patch.
>
> With the patch I just sent out, the attached version of the test code works.
Hmm, i also want to have /sys readonly in the container. For things like
OpenGL to work (it needs to look at the pci tables to see what driver to
load). This seems to be problematic, I keep getting EPERM when i try to
mount my own copy of it.
I am able to do a bind mount of the system one, *if* i pass in MS_REC
(which is not necessarily what i want), but I then later fail when
trying to remount it read-only.
Any idea here?
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
[email protected] [email protected]
He's a globe-trotting hunchbacked filmmaker plagued by the memory of his
family's brutal murder. She's a radical thirtysomething opera singer who
dreams of becoming Elvis. They fight crime!
_______________________________________________
gnome-os-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-os-list
