[Devel] [PATCH] ve: allow to do anything from init_user_ns

Stanislav Kinsburskiy skinsbursky at virtuozzo.com
Tue Jul 25 15:28:41 MSK 2017



25.07.2017 15:23, Konstantin Khorenko пишет:
> On 07/25/2017 03:20 PM, Stanislav Kinsburskiy wrote:
>>
>>
>> 25.07.2017 14:46, Konstantin Khorenko пишет:
>>> The only possible problem i can see here in the future:
>>> imagine we implement n:m mapping for user namespaces of vz Containers,
>>> after that each fs superblock will contain a link to user_ns in which it was created
>>> (in order to get user_ns id mapping).
>>>
>>> Thus in case someone enters from host to Container mount namespace and mount something,
>>> most probably it won't be accessible inside a Container due to different uid/gid mappings for file owners.
>>>
>>
>> Whom it might be?
> 
> Administrator, support. A Human.
> 

Ah, ok. Then who cares. Simply "Don't do it".

>>
>>> -- 
>>> Best regards,
>>>
>>> Konstantin Khorenko,
>>> Virtuozzo Linux Kernel Team
>>> 
>>> On 07/24/2017 11:55 PM, Andrei Vagin wrote:
>>>> From: Andrei Vagin <avagin at virtuozzo.com>
>>>>
>>>> current_user_ns_initial() is used to restrict operations,
>>>> which are allowed in a ve initial userns, but aren't allowed
>>>> in sub-user-namespaces. But now this function doesn't take
>>>> into account init_user_ns. init user_ns is a root item in the
>>>> hierarchy of user namespaces, so it is actually initiall
>>>> for ve-s. The upstream kernel allow to do anything from
>>>> init_user_ns, and we don't want to change this behaviour.
>>>>
>>>> https://jira.sw.ru/browse/PSBM-58574
>>>>
>>>> Cc: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>>>> Cc: Kirill Tkhai <ktkhai at virtuozzo.com>
>>>> Signed-off-by: Andrei Vagin <avagin at virtuozzo.com>
>>>> ---
>>>>  kernel/ve/ve.c | 3 +++
>>>>  1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
>>>> index 0533d79..e95b3f3 100644
>>>> --- a/kernel/ve/ve.c
>>>> +++ b/kernel/ve/ve.c
>>>> @@ -241,6 +241,9 @@ bool current_user_ns_initial(void)
>>>>      struct ve_struct *ve = get_exec_env();
>>>>      bool ret = false;
>>>>
>>>> +    if (current_user_ns() == &init_user_ns)
>>>> +        return true;
>>>> +
>>>>      rcu_read_lock();
>>>>      if (ve->ve_ns && ve->init_cred->user_ns == current_user_ns())
>>>>          ret = true;
>>>>
>> .
>>


More information about the Devel mailing list