Re: [RFC] Allow user namespace inside chroot

From: Andy Lutomirski
Date: Mon Oct 15 2018 - 13:27:24 EST

Next message: Vijay Khemka: "Re: [PATCH net-next v4] net/ncsi: Add NCSI Broadcom OEM command"
Previous message: Doug Anderson: "Re: [PATCH] dt-bindings: ufs: Fix the compatible string definition"
In reply to: Jann Horn: "Re: [RFC] Allow user namespace inside chroot"
Next in thread: Eric W. Biederman: "Re: [RFC] Allow user namespace inside chroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 15, 2018 at 10:22 AM Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> On Mon, Oct 15, 2018 at 7:10 PM <nagarathnam.muthusamy@xxxxxxxxxx> wrote:
> > Following commit disables the creation of user namespace inside
> > the chroot environment.
> >
> > userns: Don't allow creation if the user is chrooted
> >
> > commit 3151527ee007b73a0ebd296010f1c0454a919c7d
> >
> > Consider a system in which a non-root user creates a combination
> > of user, pid and mount namespaces and confines a process to it.
> > The system will have multiple levels of nested namespaces.
> > The root namespace in the system will have lots of directories
> > which should not be exposed to the child confined to the set of
> > namespaces.
> >
> > Without chroot, we will have to hide all unwanted directories
> > individually using bind mounts and mount namespace.
>
> IMO what you really should be doing is to create a tmpfs, bind-mount
> the directories you want into it, and then pivot_root() into that, not
> the other way around.

Indeed. Or you can just recursive bind-mount the subtree you want and
then pivot_root() into it.

--Andy

Next message: Vijay Khemka: "Re: [PATCH net-next v4] net/ncsi: Add NCSI Broadcom OEM command"
Previous message: Doug Anderson: "Re: [PATCH] dt-bindings: ufs: Fix the compatible string definition"
In reply to: Jann Horn: "Re: [RFC] Allow user namespace inside chroot"
Next in thread: Eric W. Biederman: "Re: [RFC] Allow user namespace inside chroot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]