From mboxrd@z Thu Jan 1 00:00:00 1970 From: Seth Forshee Subject: Re: [PATCH review 11/13] mnt: Simplify mount_too_revealing Date: Wed, 22 Jun 2016 14:48:31 -0500 Message-ID: <20160622194831.GF125285@ubuntu-hedt> References: <87fus77pns.fsf@x220.int.ebiederm.org> <20160620172130.15712-1-ebiederm@xmission.com> <20160620172130.15712-11-ebiederm@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20160620172130.15712-11-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: Miklos Szeredi , Linux Containers , Andy Lutomirski , James Bottomley , linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Djalal Harouni List-Id: containers.vger.kernel.org On Mon, Jun 20, 2016 at 12:21:28PM -0500, Eric W. Biederman wrote: > Verify all filesystems that we check in mount_too_revealing set > SB_I_NOEXEC and SB_I_NODEV in sb->s_iflags. That is true for today > and it should remain true in the future. > > Remove the now unnecessary checks from mnt_already_visibile that > ensure MNT_LOCK_NOSUID, MNT_LOCK_NOEXEC, and MNT_LOCK_NODEV are > preserved. Making the code shorter and easier to read. > > Relying on SB_I_NOEXEC and SB_I_NODEV instead of the user visible > MNT_NOSUID, MNT_NOEXEC, and MNT_NODEV ensures the many current > systems where proc and sysfs are mounted with "nosuid, nodev, noexec" > and several slightly buggy container applications don't bother to > set those flags continue to work. > > Signed-off-by: "Eric W. Biederman" Acked-by: Seth Forshee From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f53.google.com ([209.85.218.53]:34508 "EHLO mail-oi0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750833AbcFVTsd (ORCPT ); Wed, 22 Jun 2016 15:48:33 -0400 Received: by mail-oi0-f53.google.com with SMTP id s66so38261494oif.1 for ; Wed, 22 Jun 2016 12:48:32 -0700 (PDT) Date: Wed, 22 Jun 2016 14:48:31 -0500 From: Seth Forshee To: "Eric W. Biederman" Cc: Linux Containers , linux-fsdevel@vger.kernel.org, Miklos Szeredi , James Bottomley , Djalal Harouni , "Serge E. Hallyn" , Andy Lutomirski Subject: Re: [PATCH review 11/13] mnt: Simplify mount_too_revealing Message-ID: <20160622194831.GF125285@ubuntu-hedt> References: <87fus77pns.fsf@x220.int.ebiederm.org> <20160620172130.15712-1-ebiederm@xmission.com> <20160620172130.15712-11-ebiederm@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160620172130.15712-11-ebiederm@xmission.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Mon, Jun 20, 2016 at 12:21:28PM -0500, Eric W. Biederman wrote: > Verify all filesystems that we check in mount_too_revealing set > SB_I_NOEXEC and SB_I_NODEV in sb->s_iflags. That is true for today > and it should remain true in the future. > > Remove the now unnecessary checks from mnt_already_visibile that > ensure MNT_LOCK_NOSUID, MNT_LOCK_NOEXEC, and MNT_LOCK_NODEV are > preserved. Making the code shorter and easier to read. > > Relying on SB_I_NOEXEC and SB_I_NODEV instead of the user visible > MNT_NOSUID, MNT_NOEXEC, and MNT_NODEV ensures the many current > systems where proc and sysfs are mounted with "nosuid, nodev, noexec" > and several slightly buggy container applications don't bother to > set those flags continue to work. > > Signed-off-by: "Eric W. Biederman" Acked-by: Seth Forshee