| Message ID | a26103156b3f6ba73b1e46c6f577f1bee74872d9.1512041070.git.dongsu@kinvolk.io (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Dec 22, 2017 at 03:32:34PM +0100, Dongsu Park wrote: > From: Seth Forshee <seth.forshee@canonical.com> > > To be able to mount fuse from non-init user namespaces, it's necessary > to set FS_USERNS_MOUNT flag to fs_flags. > > Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ > > Cc: linux-fsdevel@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Miklos Szeredi <mszeredi@redhat.com> > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [dongsu: add a simple commit messasge] > Signed-off-by: Dongsu Park <dongsu@kinvolk.io> Reviewed-by: Serge Hallyn <serge@hallyn.com> > --- > fs/fuse/inode.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 7f6b2e55..8c98edee 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > - .fs_flags = FS_HAS_SUBTYPE, > + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > .mount = fuse_mount, > .kill_sb = fuse_kill_sb_anon, > }; > @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { > .name = "fuseblk", > .mount = fuse_mount_blk, > .kill_sb = fuse_kill_sb_blk, > - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, > + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > }; > MODULE_ALIAS_FS("fuseblk"); > > -- > 2.13.6 > > _______________________________________________ > Containers mailing list > Containers@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/containers
On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park <dongsu@kinvolk.io> wrote: > From: Seth Forshee <seth.forshee@canonical.com> > > To be able to mount fuse from non-init user namespaces, it's necessary > to set FS_USERNS_MOUNT flag to fs_flags. > > Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ > > Cc: linux-fsdevel@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Miklos Szeredi <mszeredi@redhat.com> > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > [dongsu: add a simple commit messasge] > Signed-off-by: Dongsu Park <dongsu@kinvolk.io> > --- > fs/fuse/inode.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 7f6b2e55..8c98edee 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > - .fs_flags = FS_HAS_SUBTYPE, > + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > .mount = fuse_mount, > .kill_sb = fuse_kill_sb_anon, > }; I think enabling FS_USERNS_MOUNT should be pretty safe. I was thinking opting out should be as simple as "chmod o-rw /dev/fuse". But that breaks libfuse, even though fusermount opens /dev/fuse in privileged mode, so it shouldn't. That can be fixed in libfuse, but it's an unfortunate bug and it also means /dev/fuse is configured with "crw-rw-rw-" in most cases. Which means it will be opting out, not opting in, which is the less safe version. > @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { > .name = "fuseblk", > .mount = fuse_mount_blk, > .kill_sb = fuse_kill_sb_blk, > - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, > + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, > }; > MODULE_ALIAS_FS("fuseblk"); As I said, this hunk should be dropped from the first version, because it's possibly unsafe. Thanks, Miklos
On Wed, Feb 14, 2018 at 2:44 PM, Miklos Szeredi <mszeredi@redhat.com> wrote: > On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park <dongsu@kinvolk.io> wrote: >> From: Seth Forshee <seth.forshee@canonical.com> >> >> To be able to mount fuse from non-init user namespaces, it's necessary >> to set FS_USERNS_MOUNT flag to fs_flags. >> >> Patch v4 is available: https://patchwork.kernel.org/patch/8944681/ >> >> Cc: linux-fsdevel@vger.kernel.org >> Cc: linux-kernel@vger.kernel.org >> Cc: Miklos Szeredi <mszeredi@redhat.com> >> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> >> [dongsu: add a simple commit messasge] >> Signed-off-by: Dongsu Park <dongsu@kinvolk.io> >> --- >> fs/fuse/inode.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c >> index 7f6b2e55..8c98edee 100644 >> --- a/fs/fuse/inode.c >> +++ b/fs/fuse/inode.c >> @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) >> static struct file_system_type fuse_fs_type = { >> .owner = THIS_MODULE, >> .name = "fuse", >> - .fs_flags = FS_HAS_SUBTYPE, >> + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, >> .mount = fuse_mount, >> .kill_sb = fuse_kill_sb_anon, >> }; > > I think enabling FS_USERNS_MOUNT should be pretty safe. > > I was thinking opting out should be as simple as "chmod o-rw > /dev/fuse". But that breaks libfuse, even though fusermount opens > /dev/fuse in privileged mode, so it shouldn't. I'm talking rubbish, /dev/fuse is opened without privs in fusermount as well. So there's not way to differentiate user_ns unpriv mounts from suid fusermount unpriv mounts. Maybe that's just as well... Thanks, Miklos
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 7f6b2e55..8c98edee 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1212,7 +1212,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) static struct file_system_type fuse_fs_type = { .owner = THIS_MODULE, .name = "fuse", - .fs_flags = FS_HAS_SUBTYPE, + .fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT, .mount = fuse_mount, .kill_sb = fuse_kill_sb_anon, }; @@ -1244,7 +1244,7 @@ static struct file_system_type fuseblk_fs_type = { .name = "fuseblk", .mount = fuse_mount_blk, .kill_sb = fuse_kill_sb_blk, - .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE, + .fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE | FS_USERNS_MOUNT, }; MODULE_ALIAS_FS("fuseblk");