[GIT PULL] User namespace related fixes for v4.2

Eric W. Biederman ebiederm at xmission.com
Mon Jul 6 21:24:00 UTC 2015

On July 6, 2015 3:47:48 PM CDT, Seth Forshee <seth.forshee at canonical.com> wrote:
>On Wed, Jul 01, 2015 at 03:41:37PM -0500, Eric W. Biederman wrote:
>> This set of changes also starts enforcing the mount flags of fresh
>> mounts of proc and sysfs are consistent with the existing mount of
>> and sysfs.  I expected this to be the boring part of the work but
>> unfortunately unprivileged userspace winds up mounting fresh copies
>> proc and sysfs with noexec and nosuid clear when root set those flags
>> the previous mount of proc and sysfs.  So for now only the atime,
>> read-only and nodev attributes which userspace happens to keep
>> consistent are enforced.  Dealing with the noexec and nosuid
>> remains for another time.
>Sorry to be the bearer of bad news, but I am seeing a regression in lxc
>with 4.2-rc1 due to this change. lxc is doing a fresh mount of sysfs
>that never specifies either read-only or nodev regardless of how sysfs
>has been mounted previously, and this is causing me to see mount
>failures because of the nodev check.
>If I comment out only the nodev check then the mount works on my
>but based on the code in lxc I don't think there's any guarantee at all
>of this mount having flags consistent with previous mounts.

Seth you are testing your inprogress patchset that
modifies how nodev works aren't you?

In rc1 nodev is always forced on a mount in a user namespace.

There is a fairly easy fix to the nodev cleanup in your
patchset, but it takes a few lines of code change in
fs_fully_visible.  Essentially after we get the better
nodev enforcement, fs_fully_visible does not need
to bother with nodev.


More information about the Containers mailing list