Re: [PATCH 10/11] fuse: Allow user namespace mounts
On Wed, Feb 14, 2018 at 2:44 PM, Miklos Szeredi wrote: > On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote: >> From: Seth Forshee >> >> To be able to mount fuse from non-init user namespaces, it's necessary >> to set FS_USERNS_MOUNT flag to fs_flags. >> >> Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ >> >> Cc: linux-fsde...@vger.kernel.org >> Cc: linux-kernel@vger.kernel.org >> Cc: Miklos Szeredi >> Signed-off-by: Seth Forshee >> [dongsu: add a simple commit messasge] >> Signed-off-by: Dongsu Park >> --- >> fs/fuse/inode.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c >> index 7f6b2e55..8c98edee 100644 >> --- a/fs/fuse/inode.c >> +++ b/fs/fuse/inode.c >> @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) >> static struct file_system_type fuse_fs_type = { >> .owner = THIS_MODULE, >> .name = "fuse", >> - .fs_flags = FS_HAS_SUBTYPE, >> + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, >> .mount = fuse_mount, >> .kill_sb= fuse_kill_sb_anon, >> }; > > I think enabling FS_USERNS_MOUNT should be pretty safe. > > I was thinking opting out should be as simple as "chmod o-rw > /dev/fuse". But that breaks libfuse, even though fusermount opens > /dev/fuse in privileged mode, so it shouldn't. I'm talking rubbish, /dev/fuse is opened without privs in fusermount as well. So there's not way to differentiate user_ns unpriv mounts from suid fusermount unpriv mounts. Maybe that's just as well... Thanks, Miklos
Re: [PATCH 10/11] fuse: Allow user namespace mounts
On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote: > From: Seth Forshee > > To be able to mount fuse from non-init user namespaces, it's necessary > to set FS_USERNS_MOUNT flag to fs_flags. > > Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ > > Cc: linux-fsde...@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Miklos Szeredi > Signed-off-by: Seth Forshee > [dongsu: add a simple commit messasge] > Signed-off-by: Dongsu Park > --- > fs/fuse/inode.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 7f6b2e55..8c98edee 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > - .fs_flags = FS_HAS_SUBTYPE, > + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > .mount = fuse_mount, > .kill_sb= fuse_kill_sb_anon, > }; I think enabling FS_USERNS_MOUNT should be pretty safe. I was thinking opting out should be as simple as "chmod o-rw /dev/fuse". But that breaks libfuse, even though fusermount opens /dev/fuse in privileged mode, so it shouldn't. That can be fixed in libfuse, but it's an unfortunate bug and it also means /dev/fuse is configured with "crw-rw-rw-" in most cases. Which means it will be opting out, not opting in, which is the less safe version. > @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { > .name = "fuseblk", > .mount = fuse_mount_blk, > .kill_sb= fuse_kill_sb_blk, > - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, > + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > }; > MODULE_ALIAS_FS("fuseblk"); As I said, this hunk should be dropped from the first version, because it's possibly unsafe. Thanks, Miklos
Re: [PATCH 10/11] fuse: Allow user namespace mounts
On Fri, Dec 22, 2017 at 03:32:34PM +0100, Dongsu Park wrote: > From: Seth Forshee > > To be able to mount fuse from non-init user namespaces, it's necessary > to set FS_USERNS_MOUNT flag to fs_flags. > > Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ > > Cc: linux-fsde...@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Miklos Szeredi > Signed-off-by: Seth Forshee > [dongsu: add a simple commit messasge] > Signed-off-by: Dongsu Park Reviewed-by: Serge Hallyn > --- > fs/fuse/inode.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 7f6b2e55..8c98edee 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > - .fs_flags = FS_HAS_SUBTYPE, > + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > .mount = fuse_mount, > .kill_sb= fuse_kill_sb_anon, > }; > @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { > .name = "fuseblk", > .mount = fuse_mount_blk, > .kill_sb= fuse_kill_sb_blk, > - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, > + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > }; > MODULE_ALIAS_FS("fuseblk"); > > -- > 2.13.6 > > ___ > Containers mailing list > contain...@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/containers
[PATCH 10/11] fuse: Allow user namespace mounts
From: Seth Forshee To be able to mount fuse from non-init user namespaces, it's necessary to set FS_USERNS_MOUNT flag to fs_flags. Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ Cc: linux-fsde...@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: Miklos Szeredi Signed-off-by: Seth Forshee [dongsu: add a simple commit messasge] Signed-off-by: Dongsu Park --- fs/fuse/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 7f6b2e55..8c98edee 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) static struct file_system_type fuse_fs_type = { .owner = THIS_MODULE, .name = "fuse", - .fs_flags = FS_HAS_SUBTYPE, + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, .mount = fuse_mount, .kill_sb= fuse_kill_sb_anon, }; @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { .name = "fuseblk", .mount = fuse_mount_blk, .kill_sb= fuse_kill_sb_blk, - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, }; MODULE_ALIAS_FS("fuseblk"); -- 2.13.6