Fuse in userns

Eric W. Biederman ebiederm at xmission.com
Wed Nov 11 16:24:33 UTC 2015 

Nikolay Borisov <n.borisov at siteground.com> writes:

> Hello Eric,
>
> I'd like to ask you what it would take to have proper support of Fuse
> inside usernamespaces. I've looked through the code of fuse and I can
> see some things are specifically coded to prevent creating a mount
> inside userns. E.g. hard-coded usage of init_user_ns or the check
> inside fuse_fill_super to make sure the fd is obtained from the
> init_user_ns. I have also read your argument here:
> https://lkml.org/lkml/2012/11/12/591
>
> So I'm interested in knowing the following:
>  * Are you still actively working on making fuse mountable in non-root
> userns, if not is the partial patch available somewhere? I might be
> able to do some work on that and hopefully make it upstreamable.

Yes.

> * If the code is not available can you explain what are the main
> hurdles in getting this to work? In my experiments I;ve hacked fuse
> and I'm able to mount glusterfs inside an LXC container but I suspect
> I might have broken some subtle security aspect :)

The subtle security aspect is definitely where things get tricky.

fuse is unique compared to the existing filesystems that we can mount in
a user namespace in that it has an untrusted backing store.  Dealing
with an untrusted backing store raises some new challenges with respect
to the vfs, etc.

The current plan is to deal with all of the weird tricky generic issues
in the vfs, and then add support for fuse.  Solving the backing store
issues generically instead of a fuse specific way pushes the
conversation to the right places and with the appropriate people.

Seth Forshe has put in a lot of work to make this happen, and his
changes are almost there.  I had hoped to just do a quick review of his
work and merge the code this last kernel development cycle.
Unfortunately the issues are vast enough and subtle enough that it is
easy to drop a detail or two.  So I figure a very close review of what
Seth has done is needed so that we do not introduce new issues.

Hopefully colds etc won't preven that from happening this cycle.

I am also beginning to suspect there is a case for a general review of
everything that is allowed in user namespaces to see if it is possible
to spot anything that has been overlooked.

Eric

More information about the Containers mailing list