From mboxrd@z Thu Jan 1 00:00:00 1970
From: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org
Subject: [Bug 120671] missing info about userns restrictions
Date: Tue, 21 Jun 2016 09:25:01 +0000
Message-ID:
References:
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Return-path:
In-Reply-To:
Sender: linux-man-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
To: linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
List-Id: linux-man@vger.kernel.org
https://bugzilla.kernel.org/show_bug.cgi?id=3D120671
Micha=C5=82 Zegan changed:
What |Removed |Added
-----------------------------------------------------------------------=
-----
Status|RESOLVED |REOPENED
Resolution|CODE_FIX |---
--- Comment #8 from Micha=C5=82 Zegan ---
Reopening because I confirmed the fact about filesystems not being moun=
table,
at least ext2. As I do not know kernel well enough to read sources, it =
would be
useful to have a list of filesystems that are mountable but I cannot wr=
ite it,
I only know at least proc, devpts? tmpfs and cgroupv2 at least if cgrou=
p
namespaces are enabled. All my words have to be verified to make sure i=
am not
wrong. Also someone should find any other restrictions user namespaces =
impose
if they exist because I do not know any.
To make you confident I tested filesystem mounting properly, I will pas=
te my
terminal session after changing to english locale. :)
Logged in as my server's root and making user/mount/pid namespace.
[root@webczatnet ~]# unshare -rUpmf
[root@webczatnet ~]# fallocate -l 1M test
[root@webczatnet ~]# losetup /dev/loop0 test
[root@webczatnet ~]# mke2fs /dev/loop0
mke2fs 1.42.13 (17-May-2015)
Discarding device blocks: done =20
Creating filesystem with 1024 1k blocks and 128 inodes
Allocating group tables: done =20
Writing inode tables: done =20
Writing superblocks and filesystem accounting information: done
[root@webczatnet ~]# mkdir x
[root@webczatnet ~]# mount /dev/loop0 x
mount: permission denied
[root@webczatnet ~]# exit
logout
[root@webczatnet ~]# mount /dev/loop0 x
[root@webczatnet ~]# umount x
[root@webczatnet ~]# rmdir x
[root@webczatnet ~]# losetup -d /dev/loop0
[root@webczatnet ~]# rm test
One comment: not sure why I can losetup from userns, like is it because=
I have
rw on loop0 as root is mapped to new userns root, or does it check
CAP_SYS_ADMIN in the new userns, or both?
--=20
You are receiving this mail because:
You are watching the assignee of the bug.--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html