Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2457250pxf; Sat, 27 Mar 2021 11:57:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwvVmILPjn8c4ZarJ82oGIzswJ+buiYsi/MY5FvaM2tKlSqWsInQVQV5B6YsRsGlYKE8NdV X-Received: by 2002:a05:6402:510f:: with SMTP id m15mr21705523edd.328.1616871465220; Sat, 27 Mar 2021 11:57:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616871465; cv=none; d=google.com; s=arc-20160816; b=LfF7aJSU8U5PcuxwyRhBkCLAwXK0uSf2PJFoe34YrZa1MCo08+uThsHuDTt+YflBwa wny/4qNMliLfmRTlC2ZS8sQqpwYoEssryo5kD6AobFMWstHp0Vb9AmhEY2aLv0U7FgMe 554lUzbcN6H++06tGWv9m5AcmhSnugrWKr7GRo7MACi4mg9u3REpeESGcIOwTNYnKLmX gbigCx70zzr8DQQo0kelNDjiphDpPpCyrMGwRQJxGgQaHXvTxg2VZ7sHjySdSSYe8Tel XWvjrig5Oh1fFAdHU4JhnJLRxCunAm5GpG0re4YL/E2L9Ti/FBfz+J24/1dDGjqAuKap PmtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:cc:from :references:to:subject; bh=fWh+p4kmfLdCKRjrciBC1OKMfOyquhCZEx0PkWiL7P0=; b=tSzg9cje/9hbVsp1TUU4ArRCjcV1l/kS3wn9geQvb7RPUm2Bi9+RpjwwI3VhMY8Jsc zjeDoObPaN5niELUygWF414Wfv1FmtVpwBqguCdj/+LHzf57iNwTagLGMCaHHc67VSBc CdvgBbLQQ4oL+9zL6Urt5FV07cewBOPghc99j875zolSCPn5VC0aECbOCsxi0kJNUoEy 9u2m5mghuqF7rG4izybU+Pt91fS5b3MnYGBipQlFcribtX6pOm0OZH5yAf7j5zof2udp ydcyuaCdt7xcImXD5i5ICNqlcpDEzcWQ1KJOp248u2LoYjVgR1bHteSQcCy6Wh5YEkRe 3SQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v3si9503912ejb.97.2021.03.27.11.57.07; Sat, 27 Mar 2021 11:57:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230015AbhC0S4B (ORCPT + 99 others); Sat, 27 Mar 2021 14:56:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230139AbhC0Szo (ORCPT ); Sat, 27 Mar 2021 14:55:44 -0400 Received: from smtp-8fae.mail.infomaniak.ch (smtp-8fae.mail.infomaniak.ch [IPv6:2001:1600:4:17::8fae]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC2B9C0613B3 for ; Sat, 27 Mar 2021 11:55:40 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4F77MW1TjMzMptWs; Sat, 27 Mar 2021 19:55:35 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4F77MV4KsDzlh8T9; Sat, 27 Mar 2021 19:55:34 +0100 (CET) Subject: Re: [PATCH v5 1/1] fs: Allow no_new_privs tasks to call chroot(2) To: Askar Safin References: <1616800362.522029786@f737.i.mail.ru> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Cc: kernel-hardening@lists.openwall.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Message-ID: <7d9c2a08-89da-14ea-6550-527a3f2c9c9e@digikod.net> Date: Sat, 27 Mar 2021 19:56:23 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <1616800362.522029786@f737.i.mail.ru> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 27/03/2021 00:12, Askar Safin wrote: > Hi. Unprivileged users already can do chroot. He should simply create userns and then call "chroot" inside. As an LWN commenter noted, you can simply run > "unshare -r /usr/sbin/chroot some-dir". (I recommend reading all comments: https://lwn.net/Articles/849125/ .) We know that userns can be use to get the required capability in a new namespace, but this patch is to not require to use this namespace, as explained in the commit message. I already added some comments in the LWN article though. > > Also: if you need chroot for path resolving only, consider openat2 with RESOLVE_IN_ROOT ( https://lwn.net/Articles/796868/ ). openat2 was also discussed in previous versions of this patch.