Received: by 10.223.148.5 with SMTP id 5csp7219169wrq; Thu, 18 Jan 2018 02:32:21 -0800 (PST) X-Google-Smtp-Source: ACJfBotzgwrCoBfQai14S0X6hIJlaZeSbPOncv/XuTMzEUmgNvO/mhO1dz1E3iiMH8kyR4Q+JwiZ X-Received: by 10.98.249.69 with SMTP id g5mr41513603pfm.229.1516271541199; Thu, 18 Jan 2018 02:32:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516271541; cv=none; d=google.com; s=arc-20160816; b=d0hZ9wheW+0KzUVR9XDbbFY8YbuQTh5ow1E+TbKAZJf3y9RRsA9mWDVgkMZHqi2Uqx yIGayKijyfzAOrWYzSK1QX8b6CLgqoA2e6lHC/l2+EYQC/X/lG5AMBqZKxZZ6qe9+EyL BMSd9DyXwqL7Y9Uzl6xnGJtZxxR0OUlF/VK1RGXRhgaKB2Ehfpjmiz8qdE2CbzkTE3ac z5PbTXC7pFGa8bQrsJJnGDX1UcKggtqThM0Fih8QZT3n/pGAbX3U6JBkq5Llxj0M7zAd 6sXEL6TEiyXpjX74iXtzhTx8ZkTSgUlh00czBQ3WgnzxxAYzTMeGl8bZpTX1sVgZg5h9 p5yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=; b=S2m4wsV/W4Og9PCA2yPi6wHkzQ/31VFZ5Yxr0eCJ0dvtdeFryjN/2sSDONaQnD1COB RaLLGwNlFw8IjO8P5Tv+FGT6N0POMo7HwrArB+8STtKOqm8xBJ5VX8HdqNbAYbINKJzH zShqWrcnCKVQI87v6L8fttmn3h+UYjuspbJExr/j7Y28BN2Rvq1BnLhv83fC0yUSav/S CTJGtYRO4OgzB4QcPjpuXRefgVLosfDNZe7prF0lnJ3DScyCBj8Gq/6M0UvVgLuBkjk6 2CyouM2q5oygQZUHgGhIhjBagcmGXR1f8hcSZCut2LqUJxfF4mN6myrgOa2W5Da+a4W4 vwKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=bpGvHhds; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s133si5811893pgc.86.2018.01.18.02.32.07; Thu, 18 Jan 2018 02:32:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=bpGvHhds; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932282AbeARK3d (ORCPT + 99 others); Thu, 18 Jan 2018 05:29:33 -0500 Received: from mail-pg0-f65.google.com ([74.125.83.65]:38233 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755290AbeARK3a (ORCPT ); Thu, 18 Jan 2018 05:29:30 -0500 Received: by mail-pg0-f65.google.com with SMTP id y27so7748846pgc.5 for ; Thu, 18 Jan 2018 02:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=; b=bpGvHhdspYpoof/tSJ4A6FK9khsBaJXq+kIGN2dFHhjazX2nnmnkELF/bB+863im6/ ytdqjuwRwFgL012ANApMQYJuukiUdO6nYkjTaqeoZ9T2bRZ1iQSpbpAQNaFMKy9v068/ sv2j/ZmxYqoz5t45ozGpsGWsQ3UVi5MJu5qCQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=; b=t/8zqeUAWTIepil/isbCZkBDn6Xh8raC6xMRjeOaeNqoG+lCnizRfWIL228KqOpV3z 1DoSePMZg3d5rNgUnDNMGiy46ZI46j5Jq25x/8TquH2bTiv2SrTYJibcgJolKwqNqGQB eb7icONzotuE9MQaqCQJSU3wzzIIJq61VDMFOsqSNDAHpdFsITDA5hf96uT71akrLILm hvM6kRJv9NUkdEG4dfeRappN4/i5lyDIKwn1BqA7jMhLDumnhZfsHxJ2e16uv/2pBIEO Qvl71Nj/yESly7W5rPW/TSWy4OZjvdieX31vCLKuxBCcTwErq8vMpvCS/p6gGGJpklPM IGBQ== X-Gm-Message-State: AKwxytcFLcrASIQK2ppClBHC32c1TiR/i3GgG/z1Zdzq2ljLHkJtHTaB nmGs0C9IEdPzR9h6NgHRMRk1ieWSdkyMtVcjjCmI7GumVz4= X-Received: by 10.84.202.194 with SMTP id q2mr5388617plh.260.1516271369618; Thu, 18 Jan 2018 02:29:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.169.12 with HTTP; Thu, 18 Jan 2018 02:29:29 -0800 (PST) In-Reply-To: <20180117193124.GC3723@ubuntu-xps13> References: <20180117142935.GA3723@ubuntu-xps13> <20180117193124.GC3723@ubuntu-xps13> From: Alban Crequy Date: Thu, 18 Jan 2018 11:29:29 +0100 Message-ID: Subject: Re: [PATCH 08/11] fuse: Support fuse filesystems outside of init_user_ns To: Seth Forshee Cc: Dongsu Park , linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, "Eric W . Biederman" , Miklos Szeredi , Sargun Dhillon , linux-fsdevel@vger.kernel.org, Tejun Heo , David Herrmann , Tom Gundersen Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 17, 2018 at 8:31 PM, Seth Forshee wrote: > On Wed, Jan 17, 2018 at 07:56:59PM +0100, Alban Crequy wrote: >> On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee >> wrote: >> > On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote: >> >> [Adding Tejun, David, Tom for question about cuse] >> >> >> >> On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote: >> >> > From: Seth Forshee >> >> > >> >> > In order to support mounts from namespaces other than >> >> > init_user_ns, fuse must translate uids and gids to/from the >> >> > userns of the process servicing requests on /dev/fuse. This >> >> > patch does that, with a couple of restrictions on the namespace: >> >> > >> >> > - The userns for the fuse connection is fixed to the namespace >> >> > from which /dev/fuse is opened. >> >> > >> >> > - The namespace must be the same as s_user_ns. >> >> > >> >> > These restrictions simplify the implementation by avoiding the >> >> > need to pass around userns references and by allowing fuse to >> >> > rely on the checks in inode_change_ok for ownership changes. >> >> > Either restriction could be relaxed in the future if needed. >> >> > >> >> > For cuse the namespace used for the connection is also simply >> >> > current_user_ns() at the time /dev/cuse is opened. >> >> >> >> Was a use case discussed for using cuse in a new unprivileged userns? >> >> >> >> I ran some tests yesterday with cusexmp [1] and I could add a new char >> >> device as an unprivileged user with: >> >> >> >> $ unshare -U -r -m sh -c 'mount --bind /mnt/cuse /dev/cuse ; cusexmp >> >> --maj=99 --min=30 --name=foo >> >> >> >> where /mnt/cuse is previously mknod'ed correctly and chmod'ed 777. >> >> Then, I could see the new device: >> >> >> >> $ cat /proc/devices | grep foo >> >> 99 foo >> >> >> >> On normal distros, we don't have a /mnt/cuse chmod'ed 777 but still it >> >> seems dangerous if the dev node can be provided otherwise and if we >> >> don't have a use case for it. >> >> >> >> Thoughts? >> > >> > I can't remember the specific reasons, but I had concluded that letting >> > unprivileged users use cuse within a user namespace isn't safe. But >> > having a cuse device node usable by regular users at all is equally >> > unsafe I suspect, >> >> This makes sense. >> >> > so I don't think your example demonstrates any problem >> > specific to user namespaces. There shouldn't be any way to use a user >> > namespace to gain access permissions towards /dev/cuse, otherwise we >> > have bigger problems than cuse to worry about. >> >> From my tests, the patch seem safe but I don't fully understand why that is. >> >> I am not trying to gain more permissions towards /dev/cuse but to >> create another cuse char file from within the unprivileged userns. I >> tested the scenario by patching the memfs userspace FUSE driver to >> generate the char device whenever the file is named "cuse" (turning >> the regular file into a char device with the cuse major/minor behind >> the scene): >> >> $ unshare -U -r -m >> # memfs /mnt/memfs & >> # ls -l /mnt/memfs >> # echo -n > /mnt/memfs/cuse >> -bash: /mnt/memfs/cuse: Input/output error >> # ls -l /mnt/memfs/cuse >> crwxrwxrwx. 1 root root 10, 203 Jan 17 18:24 /mnt/memfs/cuse >> # cat /mnt/memfs/cuse >> cat: /mnt/memfs/cuse: Permission denied >> >> But then, I could not use that char device, even though it seems to >> have the correct major/minor and permissions. The kernel FUSE code >> seems to call init_special_inode() to handle character devices. I >> don't understand why it seems to be safe. > > Because for new mounts in non-init user namespaces alloc_super() sets > SB_I_NODEV flag in s_iflags, which disallows opening device nodes in > that filesystem. I see. Thanks for the explanation!