Re: [RCF] [PATCH] unprivileged mount/umount

[serue]

Quoting Eric Van Hensbergen (ericvh@xxxxxxxxx):
> Let's focus on baby steps first, and to me that's:
> a) get rid of holes that allow users to traverse out of a chroot jail
> by using the creation of private name spaces (is anyone working on
> this, did I miss a patch?)

I have tested doing
	clone(CLONE_NEWNS);
	chdir(/some_jail_dir);
	pivot_root(., tmp)
	umount2(tmp, MNT_DETACH)
	chroot(.)

which appears to prevent escapes from chroot jails.  So unless my tests
were insufficient, we don't need additional kernel support.  We can just
use something like chroot_ns.c from www.sf.net/projects/linux-jail/.

> b) make CLONE_NEWNS (and any other name space creation mechanisms such
> as the proposed unshare system call) available to normal users
> c) Get the unshare system call adopted as it seems to be generally useful
> d) Get Miklos' unprivileged mount/umount patch adopted in mainline

and I'd say

e) Work towards the shared namespaces, which are really one of the
main reasons not to use namespaces right now.

I know this work is being done, so this isn't so much a request for the
shared namespaces, as just a reminder that this will be one of the major
pieces of functionality to consider along with the ones you listed.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/