Re: [PATCH] namespace.c: fix bind mount from foreign namespace

[Miklos Szeredi]

> > 1) you need not recursively bind the whole tree of the private
> >    namespace.  In fact you can only do that by hand, since the kernel
> >    won't do it (!recurse || check_mnt(old_nd.mnt) in do_loopback).
> 
> That would be easy to change if it was desired though, by taking both
> namespace semaphores when two namespaces are involved.

Yes.

The other check_mnt() calls could be removed by taking
nd.mnt->mnt_namespace->sem instead of current->namespace->sem in the
relevant functions.

It does make sense IMO, even if it won't be used very often, since
only very little extra complexity is involved.

> > 4) in fact, the process in the originating namespace can single out a
> >    mount and just send a file descriptor refering to that mount
> >    (e.g. by binding it to a temporary directory, opening the root,
> >    detaching from the mountpoint, and then sending the file descriptor
> >    to the receiving process).  This way the receiving process will see
> >    no other mounts in the originating namespace, and can only bind
> >    from that single mount.
> 
> Nice.  The process in the originating namespace can also bind a small,
> carefully selected tree of mounts to a tree in that temporary
> directory before passing it, so the recipient can chroot/chdir into
> the set of mounts and get only those explicitly authorised by the
> originating process.

That won't work, since detach (umount -l) will break up the tree, and
the file descriptor will hold a reference to only one vfsmount/dentry.

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/