Re: [RCF] [PATCH] unprivileged mount/umount

> I think the best thing to do for "jails" and such is to think of a
> private namespace as a collection of bind mounts in a private tree
> that (normally) cannot be reached from elsewhere, not can it reach
> elsewhere.
> 
> And leave it to adminstration to ensure that a tree isn't visible from
> another tree if you don't want it to be for security purposes.  That
> basically amounts to making sure processes that shouldn't communicate
> or ptrace each other can't.
> 
> With that view, the kernel's notion of "namespace" is redundant.

I'm not sure. 

> It doesn't add anything to the security model, and it doesn't add
> any useful functionality.

Struct namespace is pretty small, so let's see:

  1) count:  reference count for the "tree"

     if you remove this, how will you know when to "unmount" the tree?

  2) root: the root of the tree

     needed for the unmount, when the namespace has no more references

  3) list: flat list of mounts in the tree

     used by /proc/PID/mounts, but probably not strictly needed

  4) sem:  protects the mount list and the tree from modification

     could be removed in favor of a global lock, but that would
     increase contention

> In other words, is ->mnt_namespace required at all, except to contain
> namespace->sem (which could be changed)?  I don't think it adds
> anything realistic to security.  The way to make secure jails is to
> isolated their trees so they are unreachable.  ->mnt_namespace doesn't
> make any difference to that.

Probably true.  check_mnt() is there to make sure only trees protected
by namespace->sem are modified, and is not a security check.  That is
why the recursive bind mount from foreign namespace is not allowed,
while the simple bind mount is.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Ram <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Jamie Lokier <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Ram <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Eric Van Hensbergen <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Jamie Lokier <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Eric Van Hensbergen <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Jamie Lokier <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Eric Van Hensbergen <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Jamie Lokier <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Miklos Szeredi <[email protected]>
- Re: [RCF] [PATCH] unprivileged mount/umount
  - From: Jamie Lokier <[email protected]>

Prev by Date: Re: [2.6 patch] fs/xfs/: possible cleanups
Next by Date: Re: [RCF] [PATCH] unprivileged mount/umount
Previous by thread: Re: [RCF] [PATCH] unprivileged mount/umount
Next by thread: Re: [RCF] [PATCH] unprivileged mount/umount
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]