Re: [PATCH 0/2] userns: automount cleanups

From: Eric W. Biederman
Date: Thu Nov 30 2017 - 00:21:51 EST

Next message: Dave Young: "[PATCH] x86: move parse_early_param to earlier code for add_efi_memmap"
Previous message: Thomas Meyer: "Re: BUG: KASAN: use-after-free in cmp_ex_search+0x29/0x71"
In reply to: Ian Kent: "Re: [PATCH 0/2] userns: automount cleanups"
Next in thread: Ian Kent: "Re: [PATCH 0/2] userns: automount cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ian Kent <raven@xxxxxxxxxx> writes:

> On 30/11/17 08:01, Eric W. Biederman wrote:
>>
>> While reviewing some code I realized that in getting d_automount working
>> with s_user_ns I had left behind some unnecessary relics of the blind
>> path I started down. Here are two patches that remove those relics.
>>
>> Unless someone has another preference I will drop them in my userns tree
>> and merge them that way.
>
> I saw the "<etc>->s_user_ns != &init_user_ns" and wondered if that would
> trigger for automount(8) run entirely with a container (eg. docker)?

autofs still needs FS_USERNS_MOUNT before you can reach that point. But
docker does have a mode ?--userns-remap? where it sets up the containers
mounts that way.

I think in principle that should work and be safe. I don't know how
robust autofs is against malicious users. Which is the question to ask
before actually adding FS_USERNS_MOUNT in struct file_system_type.

> Anyway, it's gone now, so ACK to these two, thanks Eric.

Eric

Next message: Dave Young: "[PATCH] x86: move parse_early_param to earlier code for add_efi_memmap"
Previous message: Thomas Meyer: "Re: BUG: KASAN: use-after-free in cmp_ex_search+0x29/0x71"
In reply to: Ian Kent: "Re: [PATCH 0/2] userns: automount cleanups"
Next in thread: Ian Kent: "Re: [PATCH 0/2] userns: automount cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]