[REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on owned filesystems.
Eric W. Biederman
ebiederm at xmission.com
Thu May 24 16:55:45 UTC 2018
Seth Forshee <seth.forshee at canonical.com> writes:
> On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote:
>> These filesystems already always set SB_I_NODEV so mknod will not be
>> useful for gaining control of any devices no matter their permissions.
>> This will allow overlayfs and applications to fakeroot to use device
>> nodes to represent things on disk.
>> Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
> For a normal filesystem this does seem safe enough.
> However, I'd also like to see us allow unprivileged mounting for
> overlayfs, and there we need to worry about whether this would allow a
> mknod in an underlying filesystem which should not be allowed. That
> mknod will be subject to this same check in the underlying filesystem
> using the credentials of the user that mounted the overaly fs, which
> should be sufficient to ensure that the mknod is permitted.
Sufficient to ensure the mknod is not permitted on the underlying
filesystem. I believe you mean.
> Thus this looks okay to me.
> Acked-by: Seth Forshee <seth.forshee at canonical.com>
More information about the Containers