Re: [PATCH] fs: Treat non-ancestor-namespace mounts as MNT_NOSUID

[Andy Lutomirski]

On Tue, Oct 14, 2014 at 3:07 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman

>>> Seth, this should address a problem that's related to yours.  If a
>>> userns creates and untrusted fs (by any means, although admittedly fuse
>>> and user namespaces don't work all that well together right now), then
>>> this prevents shenanigans that could happen when the userns passes an fd
>>> pointing at the filesystem out to the root ns.
>>
>> Andy for now I really think we are best not even reading those
>> capabilities into the vfs from unprivileged mounts.
>
> But won't we want to support letting userns containers create setuid
> files and security labels using FUSE and related things for their own
> benefit someday?  This lets us do that without compromising the init
> namespace.

More concretely, root in a userns should be able to have a
setuid-whomever or security-labeled file, and another user in that
userns should be able to exec it and transition.  But, if you're
outside the userns, then:

$ /proc/PID_IN_USERNS/root/path/to/labeled/file

shouldn't transition.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/