Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
On Mar 14, 2016 1:35 AM, "Serge Hallyn" wrote: > > Quoting Andy Lutomirski (l...@kernel.org): > > We used to have ptmx be owned by the inner uid and gid 0. Change > > this: if the owner and group are both mapped but are not both 0, > > then use the owner instead. > > > > For container-style namespaces (LXC, etc), this should have no > > effect -- UID 0 is will either be the owner or will be unmapped. > > This doesn't seem right - it's often the case that the owner is mapped > in as non-0 uid, safe or not. The actual namespace root uid should be > the owner (so long as it exists). > > Why not reverse the cases? If 0 is not mapped, then check whether the > current_user_ns()->owner is mapped? Good point, and less chance of breakage that way as well. --Andy
Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
On sön, 2016-03-13 at 22:06 -0700, Andy Lutomirski wrote: > We used to have ptmx be owned by the inner uid and gid 0. Change > this: if the owner and group are both mapped but are not both 0, > then use the owner instead. > > For container-style namespaces (LXC, etc), this should have no > effect -- UID 0 is will either be the owner or will be unmapped. > > The important behavior change is for sandboxes: many sandboxes > intentionally do not create an inner uid 0. Without this patch, > mounting devpts in such a sandbox is awkward. With this patch, it > will just work and ptmx will be owned by the namespace owner. > > Cc: Alexander Larsson > Cc: mcla...@redhat.com > Cc: "Eric W. Biederman" > Cc: Linux Containers > Signed-off-by: Andy Lutomirski Tested-by: Alexander Larsson Seems to work fine for me! Thanks! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Alexander LarssonRed Hat, Inc al...@redhat.comalexander.lars...@gmail.com He's an uncontrollable voodoo librarian with a robot buddy named Sparky. She's a cynical winged journalist from the wrong side of the tracks. They fight crime!
Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
Quoting Andy Lutomirski (l...@kernel.org):
> We used to have ptmx be owned by the inner uid and gid 0. Change
> this: if the owner and group are both mapped but are not both 0,
> then use the owner instead.
>
> For container-style namespaces (LXC, etc), this should have no
> effect -- UID 0 is will either be the owner or will be unmapped.
This doesn't seem right - it's often the case that the owner is mapped
in as non-0 uid, safe or not. The actual namespace root uid should be
the owner (so long as it exists).
Why not reverse the cases? If 0 is not mapped, then check whether the
current_user_ns()->owner is mapped?
> The important behavior change is for sandboxes: many sandboxes
> intentionally do not create an inner uid 0. Without this patch,
> mounting devpts in such a sandbox is awkward. With this patch, it
> will just work and ptmx will be owned by the namespace owner.
>
> Cc: Alexander Larsson
> Cc: mcla...@redhat.com
> Cc: "Eric W. Biederman"
> Cc: Linux Containers
> Signed-off-by: Andy Lutomirski
> ---
> fs/devpts/inode.c | 34 ++
> 1 file changed, 30 insertions(+), 4 deletions(-)
>
> diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
> index 655f21f99160..d6fa2d1beee3 100644
> --- a/fs/devpts/inode.c
> +++ b/fs/devpts/inode.c
> @@ -27,6 +27,7 @@
> #include
> #include
> #include
> +#include
>
> #define DEVPTS_DEFAULT_MODE 0600
> /*
> @@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb)
> kuid_t root_uid;
> kgid_t root_gid;
>
> - root_uid = make_kuid(current_user_ns(), 0);
> - root_gid = make_kgid(current_user_ns(), 0);
> - if (!uid_valid(root_uid) || !gid_valid(root_gid))
> - return -EINVAL;
> + /*
> + * For a new devpts instance, ptmx is owned by the creating user
> + * namespace's owner. Usually, that will be 0 as seen by the
> + * user namespace, but for unprivileged sandbox namespaces,
> + * there may not be a uid 0 or gid 0 at all.
> + */
> + root_uid = current_user_ns()->owner;
> + root_gid = current_user_ns()->group;
> +
> + if (!uid_valid(root_uid) || !gid_valid(root_gid)) {
> + /*
> + * It's very unlikely for us to get here if the userns
> + * owner is not mapped, but it's possible -- we'd have
> + * to be running in the userns with capabilities granted
> + * by unshare or setns, since there is no inner
> + * privileged user. Nonetheless, this could happen, and
> + * we don't want ptmx to be owned by an unmapped user or
> + * group.
> + *
> + * If this happens fall back to historical behavior:
> + * try to have ptmx be owned by 0:0.
> + */
> + root_uid = make_kuid(current_user_ns(), 0);
> + root_gid = make_kgid(current_user_ns(), 0);
> +
> + /* If this still doesn't work, give up. */
> + if (!uid_valid(root_uid) || !gid_valid(root_gid))
> + return -EINVAL;
> + }
>
> inode_lock(d_inode(root));
>
> --
> 2.5.0
>
> ___
> Containers mailing list
> contain...@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
[PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
We used to have ptmx be owned by the inner uid and gid 0. Change
this: if the owner and group are both mapped but are not both 0,
then use the owner instead.
For container-style namespaces (LXC, etc), this should have no
effect -- UID 0 is will either be the owner or will be unmapped.
The important behavior change is for sandboxes: many sandboxes
intentionally do not create an inner uid 0. Without this patch,
mounting devpts in such a sandbox is awkward. With this patch, it
will just work and ptmx will be owned by the namespace owner.
Cc: Alexander Larsson
Cc: mcla...@redhat.com
Cc: "Eric W. Biederman"
Cc: Linux Containers
Signed-off-by: Andy Lutomirski
---
fs/devpts/inode.c | 34 ++
1 file changed, 30 insertions(+), 4 deletions(-)
diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 655f21f99160..d6fa2d1beee3 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#define DEVPTS_DEFAULT_MODE 0600
/*
@@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb)
kuid_t root_uid;
kgid_t root_gid;
- root_uid = make_kuid(current_user_ns(), 0);
- root_gid = make_kgid(current_user_ns(), 0);
- if (!uid_valid(root_uid) || !gid_valid(root_gid))
- return -EINVAL;
+ /*
+* For a new devpts instance, ptmx is owned by the creating user
+* namespace's owner. Usually, that will be 0 as seen by the
+* user namespace, but for unprivileged sandbox namespaces,
+* there may not be a uid 0 or gid 0 at all.
+*/
+ root_uid = current_user_ns()->owner;
+ root_gid = current_user_ns()->group;
+
+ if (!uid_valid(root_uid) || !gid_valid(root_gid)) {
+ /*
+* It's very unlikely for us to get here if the userns
+* owner is not mapped, but it's possible -- we'd have
+* to be running in the userns with capabilities granted
+* by unshare or setns, since there is no inner
+* privileged user. Nonetheless, this could happen, and
+* we don't want ptmx to be owned by an unmapped user or
+* group.
+*
+* If this happens fall back to historical behavior:
+* try to have ptmx be owned by 0:0.
+*/
+ root_uid = make_kuid(current_user_ns(), 0);
+ root_gid = make_kgid(current_user_ns(), 0);
+
+ /* If this still doesn't work, give up. */
+ if (!uid_valid(root_uid) || !gid_valid(root_gid))
+ return -EINVAL;
+ }
inode_lock(d_inode(root));
--
2.5.0
