[GIT PULL] namespace updates for v3.17-rc1
kenton at sandstorm.io
Wed Aug 13 04:45:06 UTC 2014
On Tue, Aug 12, 2014 at 9:17 PM, Eric W. Biederman <ebiederm at xmission.com>
> If you can find a userspace application that matters I might care
> that a security fix breaks it.
FWIW, it broke Sandstorm.io, but we already pushed a fix, and I'm not sure
if you'd say that we "matter".
> If there is an actual regression of actual code I am happy to deal
> with it. But having the MNT_NODEV on those mounts has been the case
> for a long time now and is not new (no regression). This change just
> closed the security hole that allowed nodev to be removed. And that
> security hole we need to have fixed.
The problem is that users like us had no idea that nodev was being silently
added in the first place, and thus didn't know that we needed to specify it
in remounts. We create the tmpfs, put some things in it, and then want to
remount it read-only for the sandbox. It seems reasonable to expect that a
newly-created tmpfs would have exactly the flags I gave it when I created
it, not silently get an additional flag that I then need to pass on remount.
Note further that it may be very hard for normal developers to figure out
why their remount is failing in this case. Andy only discovered the silent
nodev by reading the kernel code.
More information about the Containers