Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4188424imm; Mon, 15 Oct 2018 10:28:09 -0700 (PDT) X-Google-Smtp-Source: ACcGV62UEbfu34mk+yG2nAj+M+dnQHfU9p9TqlGXIC3zpnERo7mqNsFhRyU1KuxcsW00lssASObk X-Received: by 2002:a62:670a:: with SMTP id b10-v6mr18345524pfc.243.1539624488890; Mon, 15 Oct 2018 10:28:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539624488; cv=none; d=google.com; s=arc-20160816; b=ws/L939LrHP2aLr8luA7qFd/gA2cvX7sTAkjooiOb1z852gqeigmD8fNrO3bi9Ox7V rDqt11aEHOGmeIuWHYiF5l16aKCmez2Z1aT2WrQHpKIMzLuJ5qeLA4wHL4Tu0qkVyFp+ cfvu5rDkYEIdmDw2fRg+V6AaLt47S9WOyJ5Lf71/OpGUGMW1VY4COgZ5cbB2sRY2JJF+ OmF5yhIQf4YMhMwX/L5RHqjeV43dQDjULFk49NL6g2NWiJpbdPjRXRD/Duq6fHQUEum7 HhUkMLvfE53Wa2OOeY+s4CSZUXtXK3hnhnrGHXB52GEnzE4pgGINMpd59B8uh/Og6dxQ kP5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Qi7uUp+5P3jKzIoPxwv0nxUSnPJinrSX8mKMCwzFyWI=; b=ml8qy/5czNsHw8vHo4P2I9XJq2chS7ZdH1lnLAz1DZ61zvBKa7faVY97YI2pkPV0bA 9iMpXCEjFRkLnKGS5101bQ8Ubks5+nKFbKLAMyWp5B5O38J8Jk7xd2gX/+zD6hX9mqko f/YYVVOD1hoHLSFLqI+p6fyPTl43qIIC6UjaxNjYQ0yC3zKMghZR7ToyDAE8hFWXLLR0 igAdaK7KZN1ZX5onept7vy/LZvA1DFiHv+1M2sLt5u0wSWx5LLOeTLnVQFzhGWXbg6xN 6x/o6jwAT0ZA2bPDfJRfWBWo+v4NSLrl5yPYOqN+xbTyg209avpYpIpsDnU3ZpQWqTBV IrTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=BLCHoXm2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13-v6si10962467pge.0.2018.10.15.10.27.52; Mon, 15 Oct 2018 10:28:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=BLCHoXm2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726794AbeJPBNc (ORCPT + 99 others); Mon, 15 Oct 2018 21:13:32 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:46991 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726760AbeJPBNc (ORCPT ); Mon, 15 Oct 2018 21:13:32 -0400 Received: by mail-wr1-f65.google.com with SMTP id n11-v6so22205409wru.13 for ; Mon, 15 Oct 2018 10:27:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qi7uUp+5P3jKzIoPxwv0nxUSnPJinrSX8mKMCwzFyWI=; b=BLCHoXm2j/tKjuSg+enr9vA9Yey6LxBDevVZhXzTCkRf0WVKeS7sQlj/j9AZKe9QHb EJcShDZxQLUVi5SASPQhsunbY3hCA7cUqyvEEoS+35mKqXcX5lhSzhHj+rJMRoL5Rnqn 4lj2EHs7q9Za2/qRp+sEIZ/iYlm47esfvY8hNHB1LuBkrbrQqJ/sBPQEtjaFVvmoJarb JMeZFuQLo/3ekg0Sh2uDCveEkxzQoQI8Lmio+2tWA9nEtaTi2HcKKmrCG/3N5q117xnG LZoUq+ctRZ8fUcUliEm+x96+Hixmg7OYo7nUSNtlbiyfy/CorZ6IKHi6CbPFcOJaEFHg 7C+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qi7uUp+5P3jKzIoPxwv0nxUSnPJinrSX8mKMCwzFyWI=; b=cvR4SSxywfb0miIrtFWypGGc3Z12lID1vChu1oOf+naVD0IfGRcoeFozni0OV4WBnD s8ezwO2dAxIpoWVrweJg4y1Hi7INfo+CYISTn7PozmJb4N4uCNqj9+XCrb2FE1jPk0SX LfXG6VRDLpSUOtUexWqYYz1jxRtSUBGugHpZRLD9NRAJejO/TJYl9IaK7zKLWMQzJFJL VHZWhxmBkf4tYc/+ByNp+S1bLT8fY9Aod8CYS2QAlDxQm15skaRLZzw0U/Q0xoyfSgUD MNnGLPi5bVmTIjJophqHvWKaBBYEq76aJb4ghRPimVSxxGoqke+UkAtE7fQ6uvJBfTnl 6o0A== X-Gm-Message-State: ABuFfohjVi8EIDIdNeRPTdtnnJq5ABvkmTaiYoxkyY68PS8bnNPxc6UW IOGKcOY+iJ3U2E3U2CvBiHcI97iQ92fVEPQcaDev4w== X-Received: by 2002:adf:b188:: with SMTP id q8-v6mr15478631wra.95.1539624440889; Mon, 15 Oct 2018 10:27:20 -0700 (PDT) MIME-Version: 1.0 References: <1539623427-10789-1-git-send-email-nagarathnam.muthusamy@oracle.com> In-Reply-To: From: Andy Lutomirski Date: Mon, 15 Oct 2018 10:27:09 -0700 Message-ID: Subject: Re: [RFC] Allow user namespace inside chroot To: Jann Horn Cc: Nagarathnam Muthusamy , LKML , "Eric W. Biederman" , Andrew Morton , Serge Hallyn , Oleg Nesterov , Prakash Sangappa , Konstantin Khlebnikov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 15, 2018 at 10:22 AM Jann Horn wrote: > > On Mon, Oct 15, 2018 at 7:10 PM wrote: > > Following commit disables the creation of user namespace inside > > the chroot environment. > > > > userns: Don't allow creation if the user is chrooted > > > > commit 3151527ee007b73a0ebd296010f1c0454a919c7d > > > > Consider a system in which a non-root user creates a combination > > of user, pid and mount namespaces and confines a process to it. > > The system will have multiple levels of nested namespaces. > > The root namespace in the system will have lots of directories > > which should not be exposed to the child confined to the set of > > namespaces. > > > > Without chroot, we will have to hide all unwanted directories > > individually using bind mounts and mount namespace. > > IMO what you really should be doing is to create a tmpfs, bind-mount > the directories you want into it, and then pivot_root() into that, not > the other way around. Indeed. Or you can just recursive bind-mount the subtree you want and then pivot_root() into it. --Andy