[PATCH 0/2] userns: automount cleanups
Eric W. Biederman
ebiederm at xmission.com
Thu Nov 30 05:21:24 UTC 2017
Ian Kent <raven at themaw.net> writes:
> On 30/11/17 08:01, Eric W. Biederman wrote:
>>
>> While reviewing some code I realized that in getting d_automount working
>> with s_user_ns I had left behind some unnecessary relics of the blind
>> path I started down. Here are two patches that remove those relics.
>>
>> Unless someone has another preference I will drop them in my userns tree
>> and merge them that way.
>
> I saw the "<etc>->s_user_ns != &init_user_ns" and wondered if that would
> trigger for automount(8) run entirely with a container (eg. docker)?
autofs still needs FS_USERNS_MOUNT before you can reach that point. But
docker does have a mode ?--userns-remap? where it sets up the containers
mounts that way.
I think in principle that should work and be safe. I don't know how
robust autofs is against malicious users. Which is the question to ask
before actually adding FS_USERNS_MOUNT in struct file_system_type.
> Anyway, it's gone now, so ACK to these two, thanks Eric.
Eric
More information about the Containers
mailing list