Received: by 10.223.148.5 with SMTP id 5csp6232657wrq; Wed, 17 Jan 2018 10:58:48 -0800 (PST) X-Google-Smtp-Source: ACJfBovRP1CyuToIYye7hh5bV/nG+gy+v2C8rQKNTxw6iau/XwYThBYNqHKJVDkbPh/2F2mnYWmD X-Received: by 10.84.245.23 with SMTP id i23mr43943650pll.219.1516215528385; Wed, 17 Jan 2018 10:58:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516215528; cv=none; d=google.com; s=arc-20160816; b=Pd/dPEZKSQ7feFrigDX610+CgwlskfCUUM8lRhMw6Bo2F9gAaJHulSMlDxQEa6lnt2 A5VeBQRdi8WTTd359fBZy/h1Ix66kEa0tf48A1jnNNGbaRRnc/wob2+HO0HzkWUVM58X CGRUd+7v70Cj91krcMtX6VGkBAfABgRJLRQnX/uQKx10eO099oObcVFrnyE/hZF+TOhB CYUK+hplmb50kf7hEjWbrFXe11A+WAQfSSUqk+vc/L6phzgyi3Nw6Dakon+kjJN6dKVH kf/PQuP/aNRMf1cREmGcSlasn9CzH+g28mIjCPwXO8hJhrD2a7VQHx8Zoiaap3sA68wV fQmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=c/b7iN9OVDYnJ0856w6+tZf3fztX3qnYGN96NK7ggzg=; b=no1G4Zcm0K74zUzVP4qY9IU4XlNgul3+1Fjx3yG01zOLVS+QBMt9WxPbFaIs6bIyNu PRNhijFKnVCw+z9ZsdOn/Bb9yk3lH7c6+y1thbFiZh25JeGeC6i34dUyASLm3vuE5D7l jAxA10uv0vcv08vxo3LaTh5ojmAJERi/d88ubZ6T0bq8D6I/i1GVcxLRsvPzxSC/7ghI /0ZgyrWwBkwUR8Jfro10kOplNflBSWso+CiOO6BTLV7tCPdeJT0QUF9ywVj8pCn674tb mjPyH/jknKgIK7bricSGqH3RTjrWYOWLBqOu72EZjeqVsNVRDMOR6IKbRtcdxvn9y9HY Hwig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=ct7pUNHw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a84si3738803pfk.72.2018.01.17.10.58.33; Wed, 17 Jan 2018 10:58:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=ct7pUNHw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754565AbeAQS5C (ORCPT + 99 others); Wed, 17 Jan 2018 13:57:02 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:43006 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752579AbeAQS5A (ORCPT ); Wed, 17 Jan 2018 13:57:00 -0500 Received: by mail-pf0-f196.google.com with SMTP id b25so5817019pfd.9 for ; Wed, 17 Jan 2018 10:57:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=c/b7iN9OVDYnJ0856w6+tZf3fztX3qnYGN96NK7ggzg=; b=ct7pUNHwBauoLqG7Ofjdb7zIAI4qMA2EkQc0Pvwf/l/4qdyZNIopBmfVot6+cXPSCT S3i+GwpphcqHTY7jJqvbYf7tvANkjZO57e6nvDcSyty2yFy5Yw2mBN+CNm6D1zxpR4hn KnzldfH9e2nFIDol1+f4w17kWgkSMFThuZp+I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=c/b7iN9OVDYnJ0856w6+tZf3fztX3qnYGN96NK7ggzg=; b=m59j7pyTPrZACNr7bJS2DKx1CbaAV3tADPcPdpLnUwA6sDWoqxbN7ZeDf97YMntHo3 yecsS+rE5FcmyfOZNDDWP5MBJR5KND33WZm2D7y/fBNlRDfYCt2bbmSj7K/RYyfX+fdq wbTmFTPSmSbq4G/MB9rvGvowb75/XwThNgqqtJQdICfCrA3XlPhJnxEuOwEPSFMk7/Jz p7QilxIJDsujVceoqOSrDh1spuuXJV6omHNnb9xfDF3ZvYU5XfefvbwrQ1kdhXmPOQW6 JbiVKSsESOZs7E9uJm87bvGcX6qWHuMfX58lUZ/bWsYZliNEQwYlMupqBUi+nqxUpllw OgUQ== X-Gm-Message-State: AKwxytdMnAlR6XX2jJPzglAGqmSV+OSv8rHCxM9LyJTcXnp3doJCbGdX 2wzhWkujuBkuAVVwK3XkGsI700VEKyM1tjaIvZv3jw== X-Received: by 10.159.208.75 with SMTP id w11mr14769188plz.41.1516215419888; Wed, 17 Jan 2018 10:56:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.169.12 with HTTP; Wed, 17 Jan 2018 10:56:59 -0800 (PST) In-Reply-To: <20180117142935.GA3723@ubuntu-xps13> References: <20180117142935.GA3723@ubuntu-xps13> From: Alban Crequy Date: Wed, 17 Jan 2018 19:56:59 +0100 Message-ID: Subject: Re: [PATCH 08/11] fuse: Support fuse filesystems outside of init_user_ns To: Seth Forshee Cc: Dongsu Park , linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, "Eric W . Biederman" , Miklos Szeredi , Sargun Dhillon , linux-fsdevel@vger.kernel.org, Tejun Heo , David Herrmann , Tom Gundersen Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee wrote: > On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote: >> [Adding Tejun, David, Tom for question about cuse] >> >> On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote: >> > From: Seth Forshee >> > >> > In order to support mounts from namespaces other than >> > init_user_ns, fuse must translate uids and gids to/from the >> > userns of the process servicing requests on /dev/fuse. This >> > patch does that, with a couple of restrictions on the namespace: >> > >> > - The userns for the fuse connection is fixed to the namespace >> > from which /dev/fuse is opened. >> > >> > - The namespace must be the same as s_user_ns. >> > >> > These restrictions simplify the implementation by avoiding the >> > need to pass around userns references and by allowing fuse to >> > rely on the checks in inode_change_ok for ownership changes. >> > Either restriction could be relaxed in the future if needed. >> > >> > For cuse the namespace used for the connection is also simply >> > current_user_ns() at the time /dev/cuse is opened. >> >> Was a use case discussed for using cuse in a new unprivileged userns? >> >> I ran some tests yesterday with cusexmp [1] and I could add a new char >> device as an unprivileged user with: >> >> $ unshare -U -r -m sh -c 'mount --bind /mnt/cuse /dev/cuse ; cusexmp >> --maj=99 --min=30 --name=foo >> >> where /mnt/cuse is previously mknod'ed correctly and chmod'ed 777. >> Then, I could see the new device: >> >> $ cat /proc/devices | grep foo >> 99 foo >> >> On normal distros, we don't have a /mnt/cuse chmod'ed 777 but still it >> seems dangerous if the dev node can be provided otherwise and if we >> don't have a use case for it. >> >> Thoughts? > > I can't remember the specific reasons, but I had concluded that letting > unprivileged users use cuse within a user namespace isn't safe. But > having a cuse device node usable by regular users at all is equally > unsafe I suspect, This makes sense. > so I don't think your example demonstrates any problem > specific to user namespaces. There shouldn't be any way to use a user > namespace to gain access permissions towards /dev/cuse, otherwise we > have bigger problems than cuse to worry about. From my tests, the patch seem safe but I don't fully understand why that is. I am not trying to gain more permissions towards /dev/cuse but to create another cuse char file from within the unprivileged userns. I tested the scenario by patching the memfs userspace FUSE driver to generate the char device whenever the file is named "cuse" (turning the regular file into a char device with the cuse major/minor behind the scene): $ unshare -U -r -m # memfs /mnt/memfs & # ls -l /mnt/memfs # echo -n > /mnt/memfs/cuse -bash: /mnt/memfs/cuse: Input/output error # ls -l /mnt/memfs/cuse crwxrwxrwx. 1 root root 10, 203 Jan 17 18:24 /mnt/memfs/cuse # cat /mnt/memfs/cuse cat: /mnt/memfs/cuse: Permission denied But then, I could not use that char device, even though it seems to have the correct major/minor and permissions. The kernel FUSE code seems to call init_special_inode() to handle character devices. I don't understand why it seems to be safe. Thanks! Alban