Received: by 10.223.148.5 with SMTP id 5csp7219169wrq;
        Thu, 18 Jan 2018 02:32:21 -0800 (PST)
X-Google-Smtp-Source: ACJfBotzgwrCoBfQai14S0X6hIJlaZeSbPOncv/XuTMzEUmgNvO/mhO1dz1E3iiMH8kyR4Q+JwiZ
X-Received: by 10.98.249.69 with SMTP id g5mr41513603pfm.229.1516271541199;
        Thu, 18 Jan 2018 02:32:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516271541; cv=none;
        d=google.com; s=arc-20160816;
        b=d0hZ9wheW+0KzUVR9XDbbFY8YbuQTh5ow1E+TbKAZJf3y9RRsA9mWDVgkMZHqi2Uqx
         yIGayKijyfzAOrWYzSK1QX8b6CLgqoA2e6lHC/l2+EYQC/X/lG5AMBqZKxZZ6qe9+EyL
         BMSd9DyXwqL7Y9Uzl6xnGJtZxxR0OUlF/VK1RGXRhgaKB2Ehfpjmiz8qdE2CbzkTE3ac
         z5PbTXC7pFGa8bQrsJJnGDX1UcKggtqThM0Fih8QZT3n/pGAbX3U6JBkq5Llxj0M7zAd
         6sXEL6TEiyXpjX74iXtzhTx8ZkTSgUlh00czBQ3WgnzxxAYzTMeGl8bZpTX1sVgZg5h9
         p5yA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=;
        b=S2m4wsV/W4Og9PCA2yPi6wHkzQ/31VFZ5Yxr0eCJ0dvtdeFryjN/2sSDONaQnD1COB
         RaLLGwNlFw8IjO8P5Tv+FGT6N0POMo7HwrArB+8STtKOqm8xBJ5VX8HdqNbAYbINKJzH
         zShqWrcnCKVQI87v6L8fttmn3h+UYjuspbJExr/j7Y28BN2Rvq1BnLhv83fC0yUSav/S
         CTJGtYRO4OgzB4QcPjpuXRefgVLosfDNZe7prF0lnJ3DScyCBj8Gq/6M0UvVgLuBkjk6
         2CyouM2q5oygQZUHgGhIhjBagcmGXR1f8hcSZCut2LqUJxfF4mN6myrgOa2W5Da+a4W4
         vwKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kinvolk.io header.s=google header.b=bpGvHhds;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s133si5811893pgc.86.2018.01.18.02.32.07;
        Thu, 18 Jan 2018 02:32:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kinvolk.io header.s=google header.b=bpGvHhds;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932282AbeARK3d (ORCPT <rfc822;tibaldi.amos@gmail.com>
        + 99 others); Thu, 18 Jan 2018 05:29:33 -0500
Received: from mail-pg0-f65.google.com ([74.125.83.65]:38233 "EHLO
        mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755290AbeARK3a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jan 2018 05:29:30 -0500
Received: by mail-pg0-f65.google.com with SMTP id y27so7748846pgc.5
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jan 2018 02:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kinvolk.io; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=;
        b=bpGvHhdspYpoof/tSJ4A6FK9khsBaJXq+kIGN2dFHhjazX2nnmnkELF/bB+863im6/
         ytdqjuwRwFgL012ANApMQYJuukiUdO6nYkjTaqeoZ9T2bRZ1iQSpbpAQNaFMKy9v068/
         sv2j/ZmxYqoz5t45ozGpsGWsQ3UVi5MJu5qCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=id8JKfP4LG6mVyArlFblkCcYpNZ5dm4Y82nqfEjbKAc=;
        b=t/8zqeUAWTIepil/isbCZkBDn6Xh8raC6xMRjeOaeNqoG+lCnizRfWIL228KqOpV3z
         1DoSePMZg3d5rNgUnDNMGiy46ZI46j5Jq25x/8TquH2bTiv2SrTYJibcgJolKwqNqGQB
         eb7icONzotuE9MQaqCQJSU3wzzIIJq61VDMFOsqSNDAHpdFsITDA5hf96uT71akrLILm
         hvM6kRJv9NUkdEG4dfeRappN4/i5lyDIKwn1BqA7jMhLDumnhZfsHxJ2e16uv/2pBIEO
         Qvl71Nj/yESly7W5rPW/TSWy4OZjvdieX31vCLKuxBCcTwErq8vMpvCS/p6gGGJpklPM
         IGBQ==
X-Gm-Message-State: AKwxytcFLcrASIQK2ppClBHC32c1TiR/i3GgG/z1Zdzq2ljLHkJtHTaB
        nmGs0C9IEdPzR9h6NgHRMRk1ieWSdkyMtVcjjCmI7GumVz4=
X-Received: by 10.84.202.194 with SMTP id q2mr5388617plh.260.1516271369618;
 Thu, 18 Jan 2018 02:29:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.169.12 with HTTP; Thu, 18 Jan 2018 02:29:29 -0800 (PST)
In-Reply-To: <20180117193124.GC3723@ubuntu-xps13>
References: <cover.1512741134.git.dongsu@kinvolk.io> <c85c293e19a478353aba8e6e3ee39e5914f798d5.1512041070.git.dongsu@kinvolk.io>
 <CADZs7q5NA7Kox62vnCOkL=TGgzTxX+oNYz6=oNXKWkQkQwSMrA@mail.gmail.com>
 <20180117142935.GA3723@ubuntu-xps13> <CADZs7q6ZHGHbrdL96Bmy148Zc6TxruiJrEeDjaDYEX8U-5QV1A@mail.gmail.com>
 <20180117193124.GC3723@ubuntu-xps13>
From:   Alban Crequy <alban@kinvolk.io>
Date:   Thu, 18 Jan 2018 11:29:29 +0100
Message-ID: <CADZs7q45--wKbWmuANHfTHbMYo1thQgtZ1u1Yg3LWpU4BNd-TQ@mail.gmail.com>
Subject: Re: [PATCH 08/11] fuse: Support fuse filesystems outside of init_user_ns
To:     Seth Forshee <seth.forshee@canonical.com>
Cc:     Dongsu Park <dongsu@kinvolk.io>, linux-kernel@vger.kernel.org,
        containers@lists.linux-foundation.org,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Sargun Dhillon <sargun@sargun.me>,
        linux-fsdevel@vger.kernel.org, Tejun Heo <tj@kernel.org>,
        David Herrmann <dh.herrmann@googlemail.com>,
        Tom Gundersen <teg@jklm.no>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jan 17, 2018 at 8:31 PM, Seth Forshee
<seth.forshee@canonical.com> wrote:
> On Wed, Jan 17, 2018 at 07:56:59PM +0100, Alban Crequy wrote:
>> On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee
>> <seth.forshee@canonical.com> wrote:
>> > On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote:
>> >> [Adding Tejun, David, Tom for question about cuse]
>> >>
>> >> On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park <dongsu@kinvolk.io> wrote:
>> >> > From: Seth Forshee <seth.forshee@canonical.com>
>> >> >
>> >> > In order to support mounts from namespaces other than
>> >> > init_user_ns, fuse must translate uids and gids to/from the
>> >> > userns of the process servicing requests on /dev/fuse. This
>> >> > patch does that, with a couple of restrictions on the namespace:
>> >> >
>> >> >  - The userns for the fuse connection is fixed to the namespace
>> >> >    from which /dev/fuse is opened.
>> >> >
>> >> >  - The namespace must be the same as s_user_ns.
>> >> >
>> >> > These restrictions simplify the implementation by avoiding the
>> >> > need to pass around userns references and by allowing fuse to
>> >> > rely on the checks in inode_change_ok for ownership changes.
>> >> > Either restriction could be relaxed in the future if needed.
>> >> >
>> >> > For cuse the namespace used for the connection is also simply
>> >> > current_user_ns() at the time /dev/cuse is opened.
>> >>
>> >> Was a use case discussed for using cuse in a new unprivileged userns?
>> >>
>> >> I ran some tests yesterday with cusexmp [1] and I could add a new char
>> >> device as an unprivileged user with:
>> >>
>> >> $ unshare -U -r -m sh -c 'mount --bind /mnt/cuse /dev/cuse ; cusexmp
>> >> --maj=99 --min=30 --name=foo
>> >>
>> >> where /mnt/cuse is previously mknod'ed correctly and chmod'ed 777.
>> >> Then, I could see the new device:
>> >>
>> >> $ cat /proc/devices | grep foo
>> >>  99 foo
>> >>
>> >> On normal distros, we don't have a /mnt/cuse chmod'ed 777 but still it
>> >> seems dangerous if the dev node can be provided otherwise and if we
>> >> don't have a use case for it.
>> >>
>> >> Thoughts?
>> >
>> > I can't remember the specific reasons, but I had concluded that letting
>> > unprivileged users use cuse within a user namespace isn't safe. But
>> > having a cuse device node usable by regular users at all is equally
>> > unsafe I suspect,
>>
>> This makes sense.
>>
>> > so I don't think your example demonstrates any problem
>> > specific to user namespaces. There shouldn't be any way to use a user
>> > namespace to gain access permissions towards /dev/cuse, otherwise we
>> > have bigger problems than cuse to worry about.
>>
>> From my tests, the patch seem safe but I don't fully understand why that is.
>>
>> I am not trying to gain more permissions towards /dev/cuse but to
>> create another cuse char file from within the unprivileged userns. I
>> tested the scenario by patching the memfs userspace FUSE driver to
>> generate the char device whenever the file is named "cuse" (turning
>> the regular file into a char device with the cuse major/minor behind
>> the scene):
>>
>> $ unshare -U -r -m
>> # memfs /mnt/memfs &
>> # ls -l /mnt/memfs
>> # echo -n > /mnt/memfs/cuse
>> -bash: /mnt/memfs/cuse: Input/output error
>> # ls -l /mnt/memfs/cuse
>> crwxrwxrwx. 1 root root 10, 203 Jan 17 18:24 /mnt/memfs/cuse
>> # cat /mnt/memfs/cuse
>> cat: /mnt/memfs/cuse: Permission denied
>>
>> But then, I could not use that char device, even though it seems to
>> have the correct major/minor and permissions. The kernel FUSE code
>> seems to call init_special_inode() to handle character devices. I
>> don't understand why it seems to be safe.
>
> Because for new mounts in non-init user namespaces alloc_super() sets
> SB_I_NODEV flag in s_iflags, which disallows opening device nodes in
> that filesystem.

I see. Thanks for the explanation!