Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-16 Thread Alexey Gladkov
On Sat, Apr 14, 2018 at 12:41:31AM +0200, Djalal Harouni wrote: > On Wed, Apr 4, 2018 at 4:45 PM, Eric W. Biederman > wrote: > [...] > > > > The only option I have seen proposed that might qualify as something > > general purpose and simple is a new filesystem that is just the process > > directo

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-13 Thread Djalal Harouni
On Wed, Apr 4, 2018 at 4:45 PM, Eric W. Biederman wrote: [...] > > The only option I have seen proposed that might qualify as something > general purpose and simple is a new filesystem that is just the process > directories of proc. As there would in essence be no files that would > need restrict

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-05 Thread Christian Brauner
On Wed, Apr 04, 2018 at 09:45:43AM -0500, Eric W. Biederman wrote: > Alban Crequy writes: > > > Since Linux v4.2 with commit 1b852bceb0d1 ("mnt: Refactor the logic for > > mounting sysfs and proc in a user namespace"), new mounts of proc or > > sysfs in non init userns are only allowed when there

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Eric W. Biederman
Alexey Dobriyan writes: >> The only option I have seen proposed that might qualify as something >> general purpose and simple is a new filesystem that is just the process >> directories of proc. > > While "mount -t pid" and "mount -t sysctl" are decades overdue, I don't > think they cover everyth

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Eric W. Biederman
"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> It looks like a cruft free cousin of proc that is just processes would >> be applicable to your usecase. > > Just to check - is that something you're working on? Only to the point of reviewing code, and I don't hav

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > It looks like a cruft free cousin of proc that is just processes would > be applicable to your usecase. Just to check - is that something you're working on? -serge

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Alexey Dobriyan
> The only option I have seen proposed that might qualify as something > general purpose and simple is a new filesystem that is just the process > directories of proc. While "mount -t pid" and "mount -t sysctl" are decades overdue, I don't think they cover everything. IIRC some gcc versions read

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Alexey Dobriyan
> Instead, it introduces new options in proc to disable some proc entries (TBD). No, no, no, no. Blacklists are bad, mmkay. The reason is that quite dangerous new /proc entries get added (think /proc/kpageflags) and suddenly they are enabled inside container. > The granularity does not need to

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Aleksa Sarai
On 2018-04-04, Eric W. Biederman wrote: > > The following commands show my problem: > > > > $ sudo docker run -ti --rm --cap-add=SYS_ADMIN busybox sh -c 'unshare -U -r > > -p -m -f mount -t proc proc /home && echo ok' > > mount: permission denied (are you root?) > > > > $ sudo docker run -ti --rm

Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Eric W. Biederman
Alban Crequy writes: > Since Linux v4.2 with commit 1b852bceb0d1 ("mnt: Refactor the logic for > mounting sysfs and proc in a user namespace"), new mounts of proc or > sysfs in non init userns are only allowed when there is at least one > fully-visible proc or sysfs mount. > > This is to enforce

[PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-04 Thread Alban Crequy
Since Linux v4.2 with commit 1b852bceb0d1 ("mnt: Refactor the logic for mounting sysfs and proc in a user namespace"), new mounts of proc or sysfs in non init userns are only allowed when there is at least one fully-visible proc or sysfs mount. This is to enforce that proc/sysfs files masked by a