[Devel] [PATCH RH7 00/22] Port: user namespace owned mounts

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Mar 10 08:31:53 PST 2016


We need it as secure way to provide privileged access to mounts
in containers. For instance setting suid bit, security.capability
xattr, allowing remount in CT.

Those patches are not all in MS now, but actually "[PATCH v4 0/7]
Initial support for user namespace owned mounts" patch series is
partially in Eric W. Biederman's testing tree, here:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing

Other patches are Acked and have stayed without any feedback since
December 2015, see "[PATCH v2 00/19] Support fuse mounts in user
namespaces".

https://jira.sw.ru/browse/PSBM-43294
https://jira.sw.ru/browse/PSBM-43267

Major changes when porting:

1) dropped patches for selinux and other LSM as we do not
support them yet
2) dropped patch "new/fs: Update posix_acl support to handle
user namespace mounts" as that will need porting >=8 additional
patches from mainstream and now I do not know about any real
need of per s_user_ns posix ACLs in Virtuozzo, please correct
me if I'm wrong.
3) dropped fuse specific patches
4) port several needed patches from MS and add some fixes - migth
need to send them upstream.

Now we mount ploop disk to container root before userns for CT has
been created so root mount will have wrong s_user_ns on sb, for
testing purpose I include last patch which allows to change s_user_ns
on remount, but that is not safe, need to think how we can add it to
right userns from the begining.

Pavel Tikhomirov (22):
  ms/fs/super.c: fix WARN on alloc_super() fail path
  ebiederm/fs: Add user namesapace member to struct super_block
  fs: fix a posible leak of allocated superblock
  ms/mnt: Only change user settable mount flags in remount
  ms/mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags
    into do_remount
  ms/mnt: Correct permission checks in do_remount
  ebiederm/userns: Simpilify MNT_NODEV handling.
  ebiederm/fs: Limit file caps to the user namespace of the super block
  port/block_dev: Support checking inode permissions in lookup_bdev()
  port/block_dev: Check permissions towards block device inode when
    mounting
  port/fs: Treat foreign mounts as nosuid
  fs: remove excess check for in_userns
  port/userns: Replace in_userns with current_in_userns
  port/fs: Check for invalid i_uid in may_follow_link()
  port/cred: Reject inodes with invalid ids in set_create_file_as()
  port/fs: Refuse uid/gid changes which don't map into s_user_ns
  port/fs: Ensure the mounter of a filesystem is privileged towards its
    inodes
  port/fs: Don't remove suid for CAP_FSETID in s_user_ns
  ms/fs: Add a missing permission check to do_umount
  port/fs: Allow superblock owner to access do_remount_sb()
  port/capabilities: Allow privileged user in s_user_ns to set
    security.* xattrs
  draft/ext4: add option to set userns of superblock

 drivers/md/dm-table.c          |  2 +-
 drivers/mtd/mtdsuper.c         |  2 +-
 fs/attr.c                      | 11 ++++++
 fs/block_dev.c                 | 20 ++++++++---
 fs/exec.c                      |  2 +-
 fs/ext4/super.c                | 68 +++++++++++++++++++++++++++++++++----
 fs/inode.c                     |  6 +++-
 fs/namei.c                     | 11 ++++--
 fs/namespace.c                 | 76 ++++++++++++++++++++++++++++++++++--------
 fs/proc/namespaces.c           |  2 ++
 fs/proc/root.c                 |  3 +-
 fs/quota/quota.c               |  2 +-
 fs/super.c                     | 46 +++++++++++++++++++++----
 include/linux/fs.h             | 15 ++++++++-
 include/linux/mount.h          | 10 +++++-
 include/linux/uidgid.h         | 10 ++++++
 include/linux/user_namespace.h |  6 ++++
 kernel/capability.c            | 13 +++++---
 kernel/cred.c                  |  2 ++
 kernel/user_namespace.c        | 14 ++++++++
 security/commoncap.c           | 14 +++++---
 security/selinux/hooks.c       |  2 +-
 22 files changed, 286 insertions(+), 51 deletions(-)

-- 
1.9.3



More information about the Devel mailing list