Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261518AbVEACkA (ORCPT ); Sat, 30 Apr 2005 22:40:00 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261517AbVEACkA (ORCPT ); Sat, 30 Apr 2005 22:40:00 -0400 Received: from e4.ny.us.ibm.com ([32.97.182.144]:50819 "EHLO e4.ny.us.ibm.com") by vger.kernel.org with ESMTP id S261516AbVEACjy (ORCPT ); Sat, 30 Apr 2005 22:39:54 -0400 Subject: Re: [PATCH] private mounts From: Ram To: Jamie Lokier Cc: Olivier Galibert , Miklos Szeredi , hch@infradead.org, bulb@ucw.cz, viro@parcelfarce.linux.theplanet.co.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Morton In-Reply-To: <20050430235829.GB11494@mail.shareable.org> References: <20050430083516.GC23253@infradead.org> <20050430094218.GA32679@mail.shareable.org> <20050430143609.GA4362@mail.shareable.org> <20050430164258.GA6498@mail.shareable.org> <20050430182016.GA41358@dspnet.fr.eu.org> <20050430235829.GB11494@mail.shareable.org> Content-Type: text/plain Organization: IBM Message-Id: <1114915182.4180.2110.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sat, 30 Apr 2005 19:39:43 -0700 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1798 Lines: 48 On Sat, 2005-04-30 at 16:58, Jamie Lokier wrote: > Olivier Galibert wrote: > > > > "mount --bind /proc/self/fd/N mount_point" works, try it. > > > > > > What do people think about that? > > > > To me it looks like an atrocious hack that works only because of the > > way the implementation is done and not really by design. > > >From fs/namespace.c:do_loopback, the function which does bind mounts: > > if (check_mnt(nd->mnt) && (!recurse || check_mnt(old_nd.mnt))) { > > check_mnt() verifies that a mountpoint is in the same namespace as the > current process. recurse is set for --rbind mounts, but not --bind mounts. > > Notice how old_nd.mnt is explicitly _not_ checked for being in the current > namespace when doing --bind? > That says to me that Al thought about this case, and coded for it... > > (I'm still not clear why the check_mnt() calls are needed at all, though). > Making a wild guess. What if some filesystem allowed access to vfsmount in other namespace? Just like the proc filesystem having the ability to do so, but marginally stops it through the check in proc_check_root(). However the check you mentioned above where-a-bind-mount-across- namespace is allowed, implies that there is some legal way of getting access to vfsmounts in other namespace. Or maybe a remote possibility that its a bug? RP > -- Jamie > - > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/