[PATCH 3/4] fs: allow mknod in user namespaces
Vasily Kulikov
segoon at openwall.com
Fri Mar 15 18:03:08 UTC 2013
On Fri, Mar 15, 2013 at 13:13 +0400, Glauber Costa wrote:
> Since we have strict control on who access the devices, it should be
> no problem to allow the device to appear.
...
> - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
> + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD))
As now we have several mechanisms for dev nodes usage in containers
(cgroup, per-fs flags, CAP_MKNOD), probably it's better to document
all this stuff in a single document? Enumerate all possible limits
of device files creation and usage, and describe unobvious ways to
abuse the API to escape from a container (allow loopback device?
allow ext4? just guessing, didn't investigate myself). It should
document several safe patterns for common cases and beware of
known-to-be-vulnerable ones.
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
More information about the Containers
mailing list