Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
On Mar 14, 2016 1:35 AM, "Serge Hallyn" wrote: > > Quoting Andy Lutomirski (l...@kernel.org): > > We used to have ptmx be owned by the inner uid and gid 0. Change > > this: if the owner and group are both mapped but are not both 0, > > then use the owner instead. > > > > For container-style namespaces (LXC, etc), this should have no > > effect -- UID 0 is will either be the owner or will be unmapped. > > This doesn't seem right - it's often the case that the owner is mapped > in as non-0 uid, safe or not. The actual namespace root uid should be > the owner (so long as it exists). > > Why not reverse the cases? If 0 is not mapped, then check whether the > current_user_ns()->owner is mapped? Good point, and less chance of breakage that way as well. --Andy
Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
On sön, 2016-03-13 at 22:06 -0700, Andy Lutomirski wrote: > We used to have ptmx be owned by the inner uid and gid 0. Change > this: if the owner and group are both mapped but are not both 0, > then use the owner instead. > > For container-style namespaces (LXC, etc), this should have no > effect -- UID 0 is will either be the owner or will be unmapped. > > The important behavior change is for sandboxes: many sandboxes > intentionally do not create an inner uid 0. Without this patch, > mounting devpts in such a sandbox is awkward. With this patch, it > will just work and ptmx will be owned by the namespace owner. > > Cc: Alexander Larsson > Cc: mcla...@redhat.com > Cc: "Eric W. Biederman" > Cc: Linux Containers > Signed-off-by: Andy Lutomirski Tested-by: Alexander Larsson Seems to work fine for me! Thanks! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Alexander LarssonRed Hat, Inc al...@redhat.comalexander.lars...@gmail.com He's an uncontrollable voodoo librarian with a robot buddy named Sparky. She's a cynical winged journalist from the wrong side of the tracks. They fight crime!
Re: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
Quoting Andy Lutomirski (l...@kernel.org): > We used to have ptmx be owned by the inner uid and gid 0. Change > this: if the owner and group are both mapped but are not both 0, > then use the owner instead. > > For container-style namespaces (LXC, etc), this should have no > effect -- UID 0 is will either be the owner or will be unmapped. This doesn't seem right - it's often the case that the owner is mapped in as non-0 uid, safe or not. The actual namespace root uid should be the owner (so long as it exists). Why not reverse the cases? If 0 is not mapped, then check whether the current_user_ns()->owner is mapped? > The important behavior change is for sandboxes: many sandboxes > intentionally do not create an inner uid 0. Without this patch, > mounting devpts in such a sandbox is awkward. With this patch, it > will just work and ptmx will be owned by the namespace owner. > > Cc: Alexander Larsson > Cc: mcla...@redhat.com > Cc: "Eric W. Biederman" > Cc: Linux Containers > Signed-off-by: Andy Lutomirski > --- > fs/devpts/inode.c | 34 ++ > 1 file changed, 30 insertions(+), 4 deletions(-) > > diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c > index 655f21f99160..d6fa2d1beee3 100644 > --- a/fs/devpts/inode.c > +++ b/fs/devpts/inode.c > @@ -27,6 +27,7 @@ > #include > #include > #include > +#include > > #define DEVPTS_DEFAULT_MODE 0600 > /* > @@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb) > kuid_t root_uid; > kgid_t root_gid; > > - root_uid = make_kuid(current_user_ns(), 0); > - root_gid = make_kgid(current_user_ns(), 0); > - if (!uid_valid(root_uid) || !gid_valid(root_gid)) > - return -EINVAL; > + /* > + * For a new devpts instance, ptmx is owned by the creating user > + * namespace's owner. Usually, that will be 0 as seen by the > + * user namespace, but for unprivileged sandbox namespaces, > + * there may not be a uid 0 or gid 0 at all. > + */ > + root_uid = current_user_ns()->owner; > + root_gid = current_user_ns()->group; > + > + if (!uid_valid(root_uid) || !gid_valid(root_gid)) { > + /* > + * It's very unlikely for us to get here if the userns > + * owner is not mapped, but it's possible -- we'd have > + * to be running in the userns with capabilities granted > + * by unshare or setns, since there is no inner > + * privileged user. Nonetheless, this could happen, and > + * we don't want ptmx to be owned by an unmapped user or > + * group. > + * > + * If this happens fall back to historical behavior: > + * try to have ptmx be owned by 0:0. > + */ > + root_uid = make_kuid(current_user_ns(), 0); > + root_gid = make_kgid(current_user_ns(), 0); > + > + /* If this still doesn't work, give up. */ > + if (!uid_valid(root_uid) || !gid_valid(root_gid)) > + return -EINVAL; > + } > > inode_lock(d_inode(root)); > > -- > 2.5.0 > > ___ > Containers mailing list > contain...@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/containers
[PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0
We used to have ptmx be owned by the inner uid and gid 0. Change this: if the owner and group are both mapped but are not both 0, then use the owner instead. For container-style namespaces (LXC, etc), this should have no effect -- UID 0 is will either be the owner or will be unmapped. The important behavior change is for sandboxes: many sandboxes intentionally do not create an inner uid 0. Without this patch, mounting devpts in such a sandbox is awkward. With this patch, it will just work and ptmx will be owned by the namespace owner. Cc: Alexander Larsson Cc: mcla...@redhat.com Cc: "Eric W. Biederman" Cc: Linux Containers Signed-off-by: Andy Lutomirski --- fs/devpts/inode.c | 34 ++ 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c index 655f21f99160..d6fa2d1beee3 100644 --- a/fs/devpts/inode.c +++ b/fs/devpts/inode.c @@ -27,6 +27,7 @@ #include #include #include +#include #define DEVPTS_DEFAULT_MODE 0600 /* @@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb) kuid_t root_uid; kgid_t root_gid; - root_uid = make_kuid(current_user_ns(), 0); - root_gid = make_kgid(current_user_ns(), 0); - if (!uid_valid(root_uid) || !gid_valid(root_gid)) - return -EINVAL; + /* +* For a new devpts instance, ptmx is owned by the creating user +* namespace's owner. Usually, that will be 0 as seen by the +* user namespace, but for unprivileged sandbox namespaces, +* there may not be a uid 0 or gid 0 at all. +*/ + root_uid = current_user_ns()->owner; + root_gid = current_user_ns()->group; + + if (!uid_valid(root_uid) || !gid_valid(root_gid)) { + /* +* It's very unlikely for us to get here if the userns +* owner is not mapped, but it's possible -- we'd have +* to be running in the userns with capabilities granted +* by unshare or setns, since there is no inner +* privileged user. Nonetheless, this could happen, and +* we don't want ptmx to be owned by an unmapped user or +* group. +* +* If this happens fall back to historical behavior: +* try to have ptmx be owned by 0:0. +*/ + root_uid = make_kuid(current_user_ns(), 0); + root_gid = make_kgid(current_user_ns(), 0); + + /* If this still doesn't work, give up. */ + if (!uid_valid(root_uid) || !gid_valid(root_gid)) + return -EINVAL; + } inode_lock(d_inode(root)); -- 2.5.0