Received: by 10.223.185.116 with SMTP id b49csp6036880wrg; Thu, 8 Mar 2018 00:20:21 -0800 (PST) X-Google-Smtp-Source: AG47ELs2KSDGf05+CQ6PLHN8zHcR7TDdxjnBgy2rJJuFDyqFhaF65sEjmFAK9Dh1or7sxHNJ09Ha X-Received: by 2002:a17:902:7b92:: with SMTP id w18-v6mr22693391pll.159.1520497221031; Thu, 08 Mar 2018 00:20:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520497220; cv=none; d=google.com; s=arc-20160816; b=MM5n1jaAlw454n8hw4cSJHGIro37bX8i2nW6nyvWTYvC8voJxdJfdObPvNvFIA4Xou fX+N9uVOA71rvBIg9mi96+4s/Njc0suII8OlTNnsqGdbPIGYVkcH1kFh9rgiD8wkmzY0 vGaO23b92mmWg0Ne6pi4yJ+cu/OqbPW9gP5Bx+gTVUWEJvzQVVP3cJlGuI+qOrKqzuNr g19+gEKRmWnmz8nKT0dB0FUP0sP+tkjcBd8on+NdYxXbsXclAt3FilHne9+tm94BYY1g NkcFoueoCeYQTZ/f5V/xDkpRFRhQuMAYo5pWffSVHHsgHPS6cHE6gm+DxfXR+6y54A4T YCVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:date:from:arc-authentication-results; bh=tSr+a9jmToF1AjC4SRRhnNrdmMMoQL0ib3fS/2CUkgw=; b=vGLiWuWzt4EKxC40cR0o9ccJ9vUAU80/ejQ+M0MLvwa81R/4zfiEhE8iwQc2H1pzhz Gr7rmEXWUrdp5PgfEHI6KoKLtN83lt624/wSsJ2GbCxK9eZCWy9jahWagLGwxCqpg6d5 qg9dDQONDns85bngpO//dwy3En6VDkpiiQvm0OGQ6nJSyGeCAfsqWMK/VFpmH4caY6tp f6O0bcmNJiMEmY+e61hP5YLgyAQ1qqa++tvoAYndoJYebwPRH+dcSgXqZx/jjeR4xBGr 9JCDek6kovvM3boaExXz6og+C9N6wjx130d4WWaA890vbsbfInBywgf0IxISXo8VDV12 otrQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5si12647520pgq.379.2018.03.08.00.20.05; Thu, 08 Mar 2018 00:20:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935396AbeCHITJ (ORCPT + 99 others); Thu, 8 Mar 2018 03:19:09 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:45131 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934158AbeCHITI (ORCPT ); Thu, 8 Mar 2018 03:19:08 -0500 Received: from mail-wm0-f71.google.com ([74.125.82.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1etqlX-0000tz-AB for linux-kernel@vger.kernel.org; Thu, 08 Mar 2018 08:19:07 +0000 Received: by mail-wm0-f71.google.com with SMTP id d23so2222652wmd.1 for ; Thu, 08 Mar 2018 00:19:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=tSr+a9jmToF1AjC4SRRhnNrdmMMoQL0ib3fS/2CUkgw=; b=Ss7Bfoi/J+eyXm2zDVBzXXGa9O5JFQ1969IXRZPlKr0f2tOWwfNy+KtY8/JozRB7EC egqu9QttLF5l+Li+jrngyLmjJj1ZT/d5qsMQB3h8msErj8SLPx/XQtzuxvrin0MkC0UZ GYMn0lnx0GrVU4fywlpu1hAQbWv9ZEruwFmgmfLxtVI55gI9626wXx/0OQVQoMmi9pdu LrBoSRU9ijqAYtLG2gifLpfvwAOPFK7ekP1PMoqxKGZsjUkS/mZZzHHh49/WQ5QUZX4N k93ayo/M+4EIOV7M23fYcBTWqkj9tZQGfOkQAjd1EJnvUEbVY4aSBMgfmvCK7Y2PCN8C m6fw== X-Gm-Message-State: APf1xPD1tBndewiZx8/yHB5e1S8ctVaZDFRLVw5zQyuAe1lWhcCyqjAn x4glcfFBrb6bDZq1gqBqPaPv+wNspfJPJhlQkUZ61lxwFSzXncxpuccELHhYgmOyUqte/jixKtT gFPdJSKr4r1wK8S/KVuh3P7dPhCKTtulIocgHKYQCfQ== X-Received: by 10.223.171.13 with SMTP id q13mr22368253wrc.183.1520497146918; Thu, 08 Mar 2018 00:19:06 -0800 (PST) X-Received: by 10.223.171.13 with SMTP id q13mr22368246wrc.183.1520497146742; Thu, 08 Mar 2018 00:19:06 -0800 (PST) Received: from gmail.com ([37.220.133.201]) by smtp.gmail.com with ESMTPSA id q74sm17148809wmg.11.2018.03.08.00.19.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 08 Mar 2018 00:19:06 -0800 (PST) From: Christian Brauner X-Google-Original-From: Christian Brauner Date: Thu, 8 Mar 2018 09:19:04 +0100 To: Linus Torvalds Cc: Al Viro , Linux Kernel Mailing List , "Eric W. Biederman" Subject: Re: Invalid /proc//fd/{0,1,2} symlinks with TIOCGPTPEER Message-ID: <20180308081903.GC22728@gmail.com> References: <20180307161744.GA17562@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 07, 2018 at 11:44:35AM -0800, Linus Torvalds wrote: > On Wed, Mar 7, 2018 at 8:17 AM, Christian Brauner > wrote: > > > > unshare --mount > > mount --bind /dev/pts/ptmx /dev/ptmx > > chmod 666 /dev/ptmx > > Oh. Why are you using a bind mount in the first place? Containers employing user namespaces can't mknod() and because of the way some LSMs check access permissions (path-based AppArmor being one example) a symlink to /dev/pts/ptmx won't work either so a bind-mount seems like the most reliable solution. > > Anyway, I guess we just have to add another special case for this. > > Which doesn't look horrible. Right now path_pts() just does > > ret = path_parent_directory(path); > > and that simply doesn't work for a bind mount file. > > I think we could just change path_parent_directory() to go through > file bind mounts. The other user is follow_dotdot(), but that always > takes a directory, so it wouldn't be affected. > > But it's probably safer to just teach path_pts to just walk up the > bind mount first, and then do the existing path_parent_directory. > > Anybody want to just try that thing? Sure. I can try and take a look. Christian