[REVIEW][PATCH 1/2] userns: Better restrictions on when proc and sysfs can be mounted
Eric W. Biederman
ebiederm at xmission.com
Sat Nov 9 05:22:48 UTC 2013
Janne Karhunen <janne.karhunen at gmail.com> writes:
> On Sat, Nov 2, 2013 at 8:06 AM, Gao feng <gaofeng at cn.fujitsu.com> wrote:
>
>> And another question, it looks like if we don't have proc/sys fs mounted,
>> then proc/sys will be failed to be mounted?
>
> I have been wondering the same. Was quite some illogical surprise that
> we have to be doing overlay mounts. This is the exact opposite from what
> anyone would expect.
Before I address the question of bugs I will answer the question of
semantics.
In weird cases like chroot jails it is desirable not to mount /sys and /proc
and if root sets that policy it would be unfortunate if user namespaces
overrode the policy. It limits what an attacker can accomplish.
So yes in the case of /proc and /sys the goal is to limit you to
functionality you could have had with bind mounts.
Eric
More information about the Containers
mailing list