MIME-Version: 1.0
In-Reply-To: <1457428591.27353.55.camel@redhat.com>
References: <b321c0c2729d1c2a72aea319b077dce7afd79698.1424480579.git.luto@amacapital.net>
 <CALCETrVtGE8LdBCFTe1_cqpLf=SxPNX5iCe5wa-hZ0pe8ps_jA@mail.gmail.com>
 <1427447013.2250.9.camel@HansenPartnership.com> <1427788642.4411.12.camel@redhat.com>
 <1427807248.2117.117.camel@HansenPartnership.com> <CALCETrWKA4ZdHfdLuW0_W5xxJOSCJdt_fiRWs6vDk+8ZQ9n9iA@mail.gmail.com>
 <1427808184.2117.122.camel@HansenPartnership.com> <CALCETrW8v1NFa7fcJbyJKXk9Msudht5BJ7Zy1Rg7ZC_TS-2Y-Q@mail.gmail.com>
 <1427810118.2117.126.camel@HansenPartnership.com> <CALCETrU1vKf3fXPt8nS-ABDgfp8NxrFjHwTc68rA0rtvg2Lufg@mail.gmail.com>
 <1427810886.2117.129.camel@HansenPartnership.com> <1427811444.4411.20.camel@redhat.com>
 <1427969525.3559.120.camel@HansenPartnership.com> <CALCETrWyUYgHY53O451AdJUs9Mcjsqmr4fUzoNmYsTP1HLq+VA@mail.gmail.com>
 <1427984969.13651.11.camel@redhat.com> <CALCETrWYit+WiAM6DFm0enGeJN==uWNC63zXp_zRSsSJg2YGPg@mail.gmail.com>
 <87zj6qs7v8.fsf@x220.int.ebiederm.org> <CALCETrVGcCA2SMiDT8JN=AWiSFCXWSaMeKBQmkbKynKfiPJCwA@mail.gmail.com>
 <87oal4odne.fsf@x220.int.ebiederm.org> <1432832511.21304.6.camel@redhat.com>
 <CALCETrUueGomqFG0DSpt5Ern-XW6DE+rAEkd=3Y2ekV+gOwLAA@mail.gmail.com>
 <87siagh4kh.fsf@x220.int.ebiederm.org> <CALCETrXNyyG-LZ8ds5ALbWs_Tfonev4+Ci=XZwWFqsSeszes8g@mail.gmail.com>
 <1457428591.27353.55.camel@redhat.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 8 Mar 2016 10:17:56 -0800
Message-ID: <CALCETrWq37bfZASiJwYzj1sH5H-7W8EdhA83XPsUKMizjQDfog@mail.gmail.com>
Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
To: Alexander Larsson <alexl@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        gnome-os-list@gnome.org,
        Linux Containers <containers@lists.linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        mclasen@redhat.com, Linux FS Devel <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1452
Lines: 34

On Tue, Mar 8, 2016 at 1:16 AM, Alexander Larsson <alexl@redhat.com> wrote:
> On mån, 2016-03-07 at 20:59 -0800, Andy Lutomirski wrote:
>> On Thu, May 28, 2015 at 12:42 PM, Eric W. Biederman
>> <ebiederm@xmission.com> wrote:
>> > Andy Lutomirski <luto@amacapital.net> writes:
>> >
>> Apparently alexl is encountering some annoyances related to the
>> current workaround, and the workaround is certainly ugly.
>
> It works, but it introduces an extra namespace that gets exposed to the
> world, which is pretty ugly. For instance, entering the namespace
> becomes hard. I can setns() into the intermediate user+mount namespace
> without problems, but if i try to setns into the final user+mount ns
> (it gets its own implicit mount ns) i get EPERM. I'm not sure exactly
> why though...
>
>> Your proposal seems like it could break some use cases involving
>> fscaps on a mount or mount-like binary.
>>
>> What if we change it to use the owner of the userns that owns the
>> current mount ns?  For anything that doesn't explicitly use
>> namespaces, this will be zero.  For namespace users, it should do the
>> right thing.
>
> Any of these is fine with me. One nice thing would if i could somehow
> detect whether this was supported or not so that i can fall back on the
> old workaround.

I'll send a patch.

I suppose the straightforward, if slightly awkward, way to detect it
is just to try it -- create a namespace and try to mount devpts.

--Andy