Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp735487ybv; Thu, 20 Feb 2020 06:26:43 -0800 (PST) X-Google-Smtp-Source: APXvYqyhryc06ZWtegasX7ec9WV0tzc45KgICLd52K3aGLtRfzYW6+BTizgyug4J4VhxQZuzctLH X-Received: by 2002:a54:4011:: with SMTP id x17mr2105187oie.35.1582208803765; Thu, 20 Feb 2020 06:26:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582208803; cv=none; d=google.com; s=arc-20160816; b=fNLsqlTKa/qMeKSOD+Rii6QDQn773DVXP8gkYwUDTEESe9UeyzwFBZR7/oghAGlpXl t9yunmp1GGu7oHxcUS2FR+A3HxifjgReJJZKLugJAL8NRYp9BebQH6UbuqUucPGW5rNd coJ7zg3i+i+ry1Aj7/IDQxidzGYaKwGIlcMEJVPEik3hP90PYmlIbHRrrJfFhtJWkcit H8XJ80KJ5c8hvKMICXbDyqS0lRVAvpjZAjARYrwVYHIWKaKUavNn3SDEKe4BRg55KxN8 atqxLRD9Gq2M7xdSoLbOeVjFeRRBuy/y5nRo3bJVXK0tPgTtize94RBxLUGCuLF0fxyw 8NiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Y/enoiHodzaAlczHL6YqVbiUJ09DEwZMMVaK6GcpSQQ=; b=OX81810xlvYzkvdqV3Y5Z+vdGUg4lXiIqXbGUk+uyt4uecEUcbLsgid4pTyGq1jKVd naVVqC5ZFkvCba+lWZow2npA/o257wtqsjPiQHsd3xSDYjHLWo2O+iigOXiK7HCX4RGe Ei88mn3Wvg43mck4nWgKem2QLUh17vy2q5eZtA67JkuHJxKJwlKAxe7+vx/c6nqeHO/s uXychcLP5eYfJlb1A+GAj+QceFzh75gLvKeU9VdNrnawjZ5r3+dSEOXU0Jo1dSj+WktD 2zatvPszzlcPy5J5te7ZIQMvL8Mp3s2dVDwzsTDKQ8e8UYoySZ7fJFXzwl8e5CaYGeS/ hZXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o2si1728734otj.312.2020.02.20.06.26.30; Thu, 20 Feb 2020 06:26:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728026AbgBTO01 (ORCPT + 99 others); Thu, 20 Feb 2020 09:26:27 -0500 Received: from mail.hallyn.com ([178.63.66.53]:59536 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727088AbgBTO01 (ORCPT ); Thu, 20 Feb 2020 09:26:27 -0500 Received: by mail.hallyn.com (Postfix, from userid 1001) id B0D613F5; Thu, 20 Feb 2020 08:26:24 -0600 (CST) Date: Thu, 20 Feb 2020 08:26:24 -0600 From: "Serge E. Hallyn" To: Andy Lutomirski Cc: Christian Brauner , "Serge E. Hallyn" , =?iso-8859-1?Q?St=E9phane?= Graber , "Eric W. Biederman" , Aleksa Sarai , Jann Horn , smbarber@chromium.org, Seth Forshee , Alexander Viro , Alexey Dobriyan , James Morris , Kees Cook , Jonathan Corbet , Phil Estes , LKML , Linux FS Devel , Linux Containers , LSM List , Linux API Subject: Re: [PATCH v3 09/25] fs: add is_userns_visible() helper Message-ID: <20200220142624.GA5249@mail.hallyn.com> References: <20200218143411.2389182-1-christian.brauner@ubuntu.com> <20200218143411.2389182-10-christian.brauner@ubuntu.com> <20200219024233.GA19334@mail.hallyn.com> <20200219120604.vqudwaeppebvisco@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 19, 2020 at 09:18:51AM -0800, Andy Lutomirski wrote: > On Wed, Feb 19, 2020 at 4:06 AM Christian Brauner > wrote: > > > > On Tue, Feb 18, 2020 at 08:42:33PM -0600, Serge Hallyn wrote: > > > On Tue, Feb 18, 2020 at 03:33:55PM +0100, Christian Brauner wrote: > > > > Introduce a helper which makes it possible to detect fileystems whose > > > > superblock is visible in multiple user namespace. This currently only > > > > means proc and sys. Such filesystems usually have special semantics so their > > > > behavior will not be changed with the introduction of fsid mappings. > > > > > > Hi, > > > > > > I'm afraid I've got a bit of a hangup about the terminology here. I > > > *think* what you mean is that SB_I_USERNS_VISIBLE is an fs whose uids are > > > always translated per the id mappings, not fsid mappings. But when I see > > > > Correct! > > > > > the name it seems to imply that !SB_I_USERNS_VISIBLE filesystems can't > > > be seen by other namespaces at all. > > > > > > Am I right in my first interpretation? If so, can we talk about the > > > naming? > > > > Yep, your first interpretation is right. What about: wants_idmaps() > > Maybe fsidmap_exempt()? Yeah, and maybe SB_USERNS_FSID_EXEMPT ? > I still haven't convinced myself that any of the above is actually > correct behavior, especially when people do things like creating > setuid binaries. The only place that would be a problem is if the child userns has an fsidmapping from X to 0 in the parent userns, right? Yeah I'm sure many people would ignore all advice to the contrary and do this anyway, but I would try hard to suggest that people use an intermediary userns for storing filesystems for the "docker share" case. So the host fsid range would start at say 200000. So a setuid binary would just be setuid-200000.