Received: by 10.192.165.156 with SMTP id m28csp715956imm; Mon, 16 Apr 2018 07:36:36 -0700 (PDT) X-Google-Smtp-Source: AIpwx48mQ5ca01VfkLr058h2NheMz2ntA+U9wRyZ2P0mGwh71IrVMG8Gci9HvdPiuoE15c+kJ97v X-Received: by 10.167.130.85 with SMTP id e21mr22047631pfn.86.1523889396562; Mon, 16 Apr 2018 07:36:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523889396; cv=none; d=google.com; s=arc-20160816; b=NDzdvCwnm73Yx8CKFReNXyaD75Db+GcoIIrCL8wlp6f+J+iENlxQh3ndQ2zKLAXxcR 65mWIk7mkW37ZAbtM9FpWQhL57n37fqMB1GBwzVdFC6L0li1GS2GFC9aE4SbhPfWYxPS UuX2JvxNLou6RiklQO/PJH5oT7Rlf7ErHVhf1t0WUOsXWLCcm2l/QZDQLh1jdg4Wky1K cvYsS0FsoOjeHQa4X1kZdDuUbYHCmafQgg9O7woEgqoyKBlYdG6hqqjHz2bqsSFHIHOB GD5BtfdPzNp5iBjwL0bhnptC6yZ4KBODApq5cUx453W7oRZpNp/ZbObAx3BFymW9B1jN 3cQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=06XElz6BfSKMQeRqIp6bAiShocljilq+Kx8b1bD7oCg=; b=VBFZnF35LjumTCpw5JZcUbIU3UoYANf5V0V3iZgt5rREXGCBK+PH1WLDxNELKFuKy4 M6o3qoB3ex8jV+1/XFVIPaquMJhpzi6WnJ/zeVSkM2YqOG0vgKRaMM7Ifu3udGXyRZ91 qkeXe+C5Bi8bmsknqB4u+QXEl/cnUJRwGBlGFzCj8Qwwrn2cblgSHXWS0Sy1QJxtDeZz qvRQnXNxWhGOMdpINUr8R9cbhU8Z2+fwUx1OeO1z5ZSTpNoilT4/tT9ZJT2GfwGKVqU+ ioFgKBwxuCvM48/pMG6skkL861lY4h99s7BhysftcYHHi0jNPSDOScox9OZ2ZgzWFyT6 r/pQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t16si10959750pfj.10.2018.04.16.07.36.22; Mon, 16 Apr 2018 07:36:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755464AbeDPOZt (ORCPT + 99 others); Mon, 16 Apr 2018 10:25:49 -0400 Received: from monster.unsafe.ru ([5.9.28.80]:57932 "EHLO mail.unsafe.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753356AbeDPOZr (ORCPT ); Mon, 16 Apr 2018 10:25:47 -0400 X-Greylist: delayed 552 seconds by postgrey-1.27 at vger.kernel.org; Mon, 16 Apr 2018 10:25:47 EDT Received: from comp-core-i7-2640m-0182e6 (nat-pool-brq-t.redhat.com [213.175.37.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.unsafe.ru (Postfix) with ESMTPSA id 77CC0C6180E; Mon, 16 Apr 2018 14:16:18 +0000 (UTC) Date: Mon, 16 Apr 2018 16:16:16 +0200 From: Alexey Gladkov To: Djalal Harouni Cc: "Eric W. Biederman" , Andy Lutomirski , Alban Crequy , Alban Crequy , Dongsu Park , Iago Lopez Galeiras , Stephen J Day , Michael Crosby , Jess Frazelle , Akihiro Suda , Aleksa Sarai , Daniel J Walsh , Alexander Viro , linux-kernel , Linux FS Devel , Linux Containers Subject: Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible Message-ID: <20180416141616.GB21965@comp-core-i7-2640m-0182e6> References: <20180404115311.725-1-alban@kinvolk.io> <87tvsrjai0.fsf@xmission.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 14, 2018 at 12:41:31AM +0200, Djalal Harouni wrote: > On Wed, Apr 4, 2018 at 4:45 PM, Eric W. Biederman = wrote: > [...] > > > > The only option I have seen proposed that might qualify as something > > general purpose and simple is a new filesystem that is just the process > > directories of proc. As there would in essence be no files that would > > need restrictions it would be safe to allow anyone to mount without > > restriction. > > > Eric, there is a series for this: > https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1533642.html >=20 > patch on top for pids: > https://github.com/legionus/linux/commit/993a2a5b9af95b0ac901ff41d32124b7= 2ed676e3 >=20 > it was reviewed, and suggestions were integrated from Andy and Al Viro > feedback, thanks. It works on Debian, Ubuntu and others, not on Fedora > due to bug with dracut+systemd. >=20 > I do not have time to work on it now, anyone can just pick them. I continue to work on this. I am now trying to deal with the problem on Fedora. I hope to return soon with the results. --=20 Rgrds, legion --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJa1LATAAoJEKRaulRM/9Q0mxgP/i5DN/dM7ff93D15xZ81YBsz LudWQV2KVlRl09E24AQEOU806DJkxNjw5x+cQB40Oh9FgzqvLsHceseYH6dbUtz4 wrHlZnya1nQRZl32Bx+5XCDGbVN0ylBO7P1ZUUMHNYJN91q36o/RIlncKJ4m6VuW ViGx9lb/e6frjSiHnWEui3V0kut4cCnoS/CsatpjlZK77GkwuJMwJph49FNRwZBs w1t7exDPRI4y7nG9ufWT5/okIQv0awAo6DdPRJT/8FdRNLoeRJhYEUF1Ul+uRMVj ZiQQBlnH+eTdMtvhr1zy99QYQSVpIwfBW8wXd2IxAEOF+l8js8GxzShShJ8cHtvP x3Rm9yUFBuT8CoM+Y8or/Ev9HfyoECOHKzKzrYLSN2JKZVa7Jou9OnsZ/EeIbqyt wGlAsuGEgi7Is/eXB/N0vj05QLklukNuwGaXY3tBrvcZB1GubTsnJ3wRRU2UipRz 8XP7yTDq0ntyO+d5YocC4SPCO+up7LWjT1a1+vTgpA/sWCwuVMlwkKTv6Qe3bIit mzlIckxgJ/MjRDCruzd+xviRWy3xzlgI0NIFsIHB7nmcYjv/izlIBQ7uAK0sUkHN 2gc1phjgob8kSJiAd4icrbCKV2i1hhg1r8Lj6tCuHSGctACCsb6itZnfYA+DpJWV 3YGDyJeeO9znx/7PEhMr =kikD -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--