Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756184AbdLWMSd (ORCPT ); Sat, 23 Dec 2017 07:18:33 -0500 Received: from mail-yb0-f171.google.com ([209.85.213.171]:42194 "EHLO mail-yb0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750800AbdLWMSc (ORCPT ); Sat, 23 Dec 2017 07:18:32 -0500 X-Google-Smtp-Source: ACJfBouNyUg2K0dSRt6JFlrTuyU0QuvdEI/QmYicwX2irFbvWgEi4N6XWmOTIRUr3WrQEzI6O+TOMrNu3N6NSLYSVJI= MIME-Version: 1.0 In-Reply-To: References: <945d325a2239efcd55273abb2bac41cfc7264fea.1512041070.git.dongsu@kinvolk.io> From: Dongsu Park Date: Sat, 23 Dec 2017 13:18:30 +0100 Message-ID: Subject: Re: [PATCH 02/11] mtd: Check permissions towards mtd block device inode when mounting To: Richard Weinberger Cc: LKML , Miklos Szeredi , Linux Containers , Seth Forshee , Alban Crequy , "Eric W . Biederman" , Sargun Dhillon , "linux-mtd@lists.infradead.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1195 Lines: 36 Hi, On Fri, Dec 22, 2017 at 10:06 PM, Richard Weinberger wrote: > Dongsu, > > On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote: >> From: Seth Forshee >> >> Unprivileged users should not be able to mount mtd block devices >> when they lack sufficient privileges towards the block device >> inode. Update mount_mtd() to validate that the user has the >> required access to the inode at the specified path. The check >> will be skipped for CAP_SYS_ADMIN, so privileged mounts will >> continue working as before. > > What is the big picture of this? > Can in future an unprivileged user just mount UBIFS? I'm not sure I'm aware of all use cases w.r.t mtd & ubifs. To my understanding, in these days many container runtimes allow unprivileged users to run containers. (docker, lxc, runc, bubblewrap, etc) That's why the kernel should deal with additional permission checks that might have not been necessary in the past. This MTD patch is one of those special cases. > Please note that UBIFS sits on top of a character device and not a block device. Aha, good to know. Thanks, Dongsu > -- > Thanks, > //richard