Message-ID: <1457428591.27353.55.camel@redhat.com>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
From: Alexander Larsson <alexl@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
        gnome-os-list@gnome.org,
        Linux Containers <containers@lists.linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        mclasen@redhat.com, Linux FS Devel <linux-fsdevel@vger.kernel.org>
Date: Tue, 08 Mar 2016 10:16:31 +0100
In-Reply-To: <CALCETrXNyyG-LZ8ds5ALbWs_Tfonev4+Ci=XZwWFqsSeszes8g@mail.gmail.com>
References: <b321c0c2729d1c2a72aea319b077dce7afd79698.1424480579.git.luto@amacapital.net>
	 <CALCETrVtGE8LdBCFTe1_cqpLf=SxPNX5iCe5wa-hZ0pe8ps_jA@mail.gmail.com>
	 <1427447013.2250.9.camel@HansenPartnership.com>
	 <1427788642.4411.12.camel@redhat.com>
	 <1427807248.2117.117.camel@HansenPartnership.com>
	 <CALCETrWKA4ZdHfdLuW0_W5xxJOSCJdt_fiRWs6vDk+8ZQ9n9iA@mail.gmail.com>
	 <1427808184.2117.122.camel@HansenPartnership.com>
	 <CALCETrW8v1NFa7fcJbyJKXk9Msudht5BJ7Zy1Rg7ZC_TS-2Y-Q@mail.gmail.com>
	 <1427810118.2117.126.camel@HansenPartnership.com>
	 <CALCETrU1vKf3fXPt8nS-ABDgfp8NxrFjHwTc68rA0rtvg2Lufg@mail.gmail.com>
	 <1427810886.2117.129.camel@HansenPartnership.com>
	 <1427811444.4411.20.camel@redhat.com>
	 <1427969525.3559.120.camel@HansenPartnership.com>
	 <CALCETrWyUYgHY53O451AdJUs9Mcjsqmr4fUzoNmYsTP1HLq+VA@mail.gmail.com>
	 <1427984969.13651.11.camel@redhat.com>
	 <CALCETrWYit+WiAM6DFm0enGeJN==uWNC63zXp_zRSsSJg2YGPg@mail.gmail.com>
	 <87zj6qs7v8.fsf@x220.int.ebiederm.org>
	 <CALCETrVGcCA2SMiDT8JN=AWiSFCXWSaMeKBQmkbKynKfiPJCwA@mail.gmail.com>
	 <87oal4odne.fsf@x220.int.ebiederm.org>
	 <1432832511.21304.6.camel@redhat.com>
	 <CALCETrUueGomqFG0DSpt5Ern-XW6DE+rAEkd=3Y2ekV+gOwLAA@mail.gmail.com>
	 <87siagh4kh.fsf@x220.int.ebiederm.org>
	 <CALCETrXNyyG-LZ8ds5ALbWs_Tfonev4+Ci=XZwWFqsSeszes8g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1578
Lines: 35

On mån, 2016-03-07 at 20:59 -0800, Andy Lutomirski wrote:
> On Thu, May 28, 2015 at 12:42 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
> > Andy Lutomirski <luto@amacapital.net> writes:
> > 
> Apparently alexl is encountering some annoyances related to the
> current workaround, and the workaround is certainly ugly.

It works, but it introduces an extra namespace that gets exposed to the
world, which is pretty ugly. For instance, entering the namespace
becomes hard. I can setns() into the intermediate user+mount namespace
without problems, but if i try to setns into the final user+mount ns
(it gets its own implicit mount ns) i get EPERM. I'm not sure exactly
why though...

> Your proposal seems like it could break some use cases involving
> fscaps on a mount or mount-like binary.
> 
> What if we change it to use the owner of the userns that owns the
> current mount ns?  For anything that doesn't explicitly use
> namespaces, this will be zero.  For namespace users, it should do the
> right thing.

Any of these is fine with me. One nice thing would if i could somehow
detect whether this was supported or not so that i can fall back on the
old workaround.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl@redhat.com            alexander.larsson@gmail.com 
He's an all-American guitar-strumming househusband with no name. She's a 
scantily clad impetuous former first lady who don't take no shit from 
nobody. They fight crime!