Received: by 10.213.65.68 with SMTP id h4csp870025imn; Wed, 4 Apr 2018 08:36:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/2HdTkBoTuvUPD0I2Ge33Vd7K376aiSyy70hGxDXYLxYx/Dl76tF4X8YqyxGZv/D2qSzLE X-Received: by 10.98.156.152 with SMTP id u24mr14215942pfk.74.1522856198908; Wed, 04 Apr 2018 08:36:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522856198; cv=none; d=google.com; s=arc-20160816; b=nc0D3zGr7oaBzLC2+Y9GYwmZkVgxBJFBWL1kkScABaQ5WSLu7ifvp/aNrPpiK50GUJ hVYGHMD+HmvHuG2XmV5czAUloP7sVbGQFM4P5Qewzfoyt2adH4mDfhqwcszY5v5zA3yC +YppAn7+uTH0RWXAgcbwXMqc0sKLLqBF+RcD2GCSPIYnAufVvBdya9ouowKILzM/H+PT btLNw/NA0e7KM1h/krRipX5tThjbTZ7nReKiDfsUF6QLlSJDxeAclVJ4mQJqLamjO8ub J6X1eybaAorCLO6Ot7qQxu9QltZnihKVtjtr7fzAleFAD+eULqthis/cQisnLKO22sXj qRFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=+S5yR5ZRfoPeKo5FZ3dgM2yjP3kaRpE+YpsMVeQwsIE=; b=YJ1UCSyy7O+HbdQrZjP5UiEhjhs/DOa+mdCs22hzak8OBUAWQPEfDqxda3F1CApLpo kFAxt0Aa8IcrIukV/98RtWoBWVDW5lh+SPHIaeRfeID7ZCoUvqv8WFvL9WRcjg4a981m cjNSUC0rxnYJYnU1i7rscKHQ8tLMcWiIlktbRI0Ena4ym+ZTCMmlcu1K5MAhhY9t1Qha HvaonE4Px16J8QRhogXAYjyO2dLtxrsmstirMjjHDg/3dhoO2Oa4A2yQeawfx8wC9Ucf 6S8XkzdYSLtW5Iuvs1Ohg6AUaApOCuL+bWO0DSe1iXe3blioImCxI0O6yhNscYKHy+JB KokQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9si3866068pgc.170.2018.04.04.08.36.24; Wed, 04 Apr 2018 08:36:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752575AbeDDPef (ORCPT + 99 others); Wed, 4 Apr 2018 11:34:35 -0400 Received: from mx2.suse.de ([195.135.220.15]:44258 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751593AbeDDPed (ORCPT ); Wed, 4 Apr 2018 11:34:33 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id BAE2CAC81; Wed, 4 Apr 2018 15:34:31 +0000 (UTC) Date: Thu, 5 Apr 2018 01:34:22 +1000 From: Aleksa Sarai To: "Eric W. Biederman" Cc: Alban Crequy , Alban Crequy , Dongsu Park , Iago Lopez Galeiras , Stephen J Day , Michael Crosby , Jess Frazelle , Akihiro Suda , Daniel J Walsh , Alexander Viro , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, containers@lists.linux-foundation.org Subject: Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible Message-ID: <20180404153422.mea4nup3ldc2q2qt@gordon> References: <20180404115311.725-1-alban@kinvolk.io> <87tvsrjai0.fsf@xmission.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xg6ha4rtuhb7wper" Content-Disposition: inline In-Reply-To: <87tvsrjai0.fsf@xmission.com> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --xg6ha4rtuhb7wper Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-04-04, Eric W. Biederman wrote: > > The following commands show my problem: > > > > $ sudo docker run -ti --rm --cap-add=3DSYS_ADMIN busybox sh -c 'unshare= -U -r -p -m -f mount -t proc proc /home && echo ok' > > mount: permission denied (are you root?) > > > > $ sudo docker run -ti --rm --cap-add=3DSYS_ADMIN busybox sh -c 'mkdir -= p /unmasked-proc && mount -t proc proc /unmasked-proc && unshare -U -r -p -= m -f mount -t proc proc /home && echo ok' > > ok >=20 > Actually this does not show your problem because it does not reveal why > you need to mount proc. >=20 > That is a ``Doctor it hurts when I do this'' example where the Doctor > will reasonably tell you ``Don't do that then''. The context is that people want to run unprivileged runc inside a Docker container, and mounting proc is part of setting up a container. But Docker (and runc) have masks for /proc to stop containers from being able to touch things like /proc/scsi and so on. The other possibility is to give people an escape-hatch when setting up a container which basically says "make this container slightly less secure so that I can run containers inside it". However I share your concern about the layer mixing with inheriting the masks for the new procfs mount (what if you have a mount over a particular process, now the mask is masking something completely different, and a bunch of other possible problems). > > For my use case, I will need to support at least the following entries: > > > > $ sudo docker run -ti --rm busybox sh -c 'mount|grep /proc/' > > proc on /proc/asound type proc (ro,nosuid,nodev,noexec,relatime) > > proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime) > > proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime) > > proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime) > > proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime) > > proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime) > > tmpfs on /proc/kcore type tmpfs (rw,context=3D"...",nosuid,mode=3D755) > > tmpfs on /proc/latency_stats type tmpfs (rw,context=3D"...",nosuid,mode= =3D755) > > tmpfs on /proc/timer_list type tmpfs (rw,context=3D"...",nosuid,mode=3D= 755) > > tmpfs on /proc/sched_debug type tmpfs (rw,context=3D"...",nosuid,mode= =3D755) > > tmpfs on /proc/scsi type tmpfs (ro,seclabel,relatime) >=20 > It looks like a cruft free cousin of proc that is just processes would > be applicable to your usecase. I think a procfs that only has processes would be a massive improvement for a bunch of other reasons too. :D --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --xg6ha4rtuhb7wper Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlrE8HsACgkQnhiqJn3b jbRnow/+KccyoEV0xLBfJSPqejhSu8o8/aasXyqdJaAIM/GTI0/Xf6aT6pW4JZU/ m8IcgIKBrSDd6GmdkTE5MJ8s/Bqc5+EeDAbwfeJQeDzGFqBOXtmNvhs6YJrLG6pp nZG7nwIsrxeKuL/yqyHNAZYpC5ii7zEe+GeEaeUf6gaxq6T5qklmDPWDS5kVRyza 4O+NpfSmd8MmOmCBNrwV90LxqdB+kso4MFAFXZzmhs9IzibpPdaBT8RWhJ8z0gCj hZDtGHnY2gpjppgec+L35h9xHN3A1W93OVZAuzmX/JRWnRdimuv9URJlAH8k+GhW gNIbXcoPQgDcRaSpGrimIqOiUAbNQXB0HUbsDwnmGlWWTESZ5nIVv3xftmew+QSR M2AxI/vvii/HkvUMIgwAN8IGTzI+6ozJmT5wweDrRhKkFak88VlL7Kr+2+2yBxti LCJmGhuqss3VEKYeXd5+43W+TEtCHE3gkAOtkU572XC25BmPxr4k446UxbUkagBk FXPD5NbzEeASwzcVSJdvUF/hRSGztyRuSbYcBqRsxa+LUwIZSuW295Rh7EC3dpxl eKtSMiyHnlj9Qg6AABfWo5qDI7OldL7EQmVYtW4NuXzaggh2SMqrdx+uERFcYDGE mSFLWHc54ZN5gvuRPOtSCb5MGuVUtE3+Dtqe2AAtUk4m83CHOvc= =0/iw -----END PGP SIGNATURE----- --xg6ha4rtuhb7wper--