[Devel] [PATCH] ve: allow to do anything from init_user_ns
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Jul 25 15:23:51 MSK 2017
On 07/25/2017 03:20 PM, Stanislav Kinsburskiy wrote:
>
>
> 25.07.2017 14:46, Konstantin Khorenko пишет:
>> The only possible problem i can see here in the future:
>> imagine we implement n:m mapping for user namespaces of vz Containers,
>> after that each fs superblock will contain a link to user_ns in which it was created
>> (in order to get user_ns id mapping).
>>
>> Thus in case someone enters from host to Container mount namespace and mount something,
>> most probably it won't be accessible inside a Container due to different uid/gid mappings for file owners.
>>
>
> Whom it might be?
Administrator, support. A Human.
>
>> --
>> Best regards,
>>
>> Konstantin Khorenko,
>> Virtuozzo Linux Kernel Team
>>
>> On 07/24/2017 11:55 PM, Andrei Vagin wrote:
>>> From: Andrei Vagin <avagin at virtuozzo.com>
>>>
>>> current_user_ns_initial() is used to restrict operations,
>>> which are allowed in a ve initial userns, but aren't allowed
>>> in sub-user-namespaces. But now this function doesn't take
>>> into account init_user_ns. init user_ns is a root item in the
>>> hierarchy of user namespaces, so it is actually initiall
>>> for ve-s. The upstream kernel allow to do anything from
>>> init_user_ns, and we don't want to change this behaviour.
>>>
>>> https://jira.sw.ru/browse/PSBM-58574
>>>
>>> Cc: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>>> Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
>>> Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
>>> ---
>>> kernel/ve/ve.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
>>> index 0533d79..e95b3f3 100644
>>> --- a/kernel/ve/ve.c
>>> +++ b/kernel/ve/ve.c
>>> @@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
>>> struct ve_struct *ve = get_exec_env();
>>> bool ret = false;
>>>
>>> + if (current_user_ns() == &init_user_ns)
>>> + return true;
>>> +
>>> rcu_read_lock();
>>> if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
>>> ret = true;
>>>
> .
>
More information about the Devel
mailing list