Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933889Ab3GPTuF (ORCPT ); Tue, 16 Jul 2013 15:50:05 -0400 Received: from static.92.5.9.176.clients.your-server.de ([176.9.5.92]:42932 "EHLO hallynmail2" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932991Ab3GPTuE (ORCPT ); Tue, 16 Jul 2013 15:50:04 -0400 Date: Tue, 16 Jul 2013 19:50:03 +0000 From: "Serge E. Hallyn" To: Al Viro Cc: Serge Hallyn , "Eric W. Biederman" , linux-kernel@vger.kernel.org Subject: Re: [PATCH RFC] allow some kernel filesystems to be mounted in a user namespace Message-ID: <20130716195002.GA23370@mail.hallyn.com> References: <20130716192920.GA8980@sergelap> <20130716193826.GP4165@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130716193826.GP4165@ZenIV.linux.org.uk> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 913 Lines: 21 Quoting Al Viro (viro@ZenIV.linux.org.uk): > On Tue, Jul 16, 2013 at 02:29:20PM -0500, Serge Hallyn wrote: > > All the files will be owned by host root, so there's no security > > concern in allowing this. > > Files owned by root != very bad things can't be done by non-root. > Especially for debugfs, which is very much a "don't even think about > mounting that on a production box" thing... I would prefer it not be mounted. But near as I can tell there should be no regression security-wise whether an unprivileged user on the host has access to it, or whether a user in a non-init user ns is allowed to mount it. (Obviously I could very well be wrong) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/