From: Rik van Riel <riel@surriel.com>
To: Dave Marchevsky <davemarchevsky@fb.com>, linux-fsdevel@vger.kernel.org
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <sforshee@digitalocean.com>,
kernel-team@fb.com
Subject: Re: [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount
Date: Thu, 11 Nov 2021 21:10:27 -0500 [thread overview]
Message-ID: <f6bc63e6a9dd4077b021743583fa30325ca87c45.camel@surriel.com> (raw)
In-Reply-To: <20211111221142.4096653-1-davemarchevsky@fb.com>
[-- Attachment #1: Type: text/plain, Size: 991 bytes --]
On Thu, 2021-11-11 at 14:11 -0800, Dave Marchevsky wrote:
>
> This patch adds an escape hatch to the descendant userns logic
> specifically for processes with CAP_SYS_ADMIN in the root userns.
> Such
> processes can already do many dangerous things regardless of
> namespace,
> and moreover could fork and setns into any child userns with a FUSE
> mount, so it's reasonable to allow them to interact with all
> allow_other
> FUSE filesystems.
>
> Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <sforshee@digitalocean.com>
> Cc: Rik van Riel <riel@surriel.com>
> Cc: kernel-team@fb.com
This will also want a:
Fixes: 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's
namespace or a descendant")
Cc: stable@kernel.org
The patch itself looks good to my untrained eye, but could
probably use some attention from somebody who really understands
the VFS :)
--
All Rights Reversed.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2021-11-12 2:19 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-11 22:11 [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount Dave Marchevsky
2021-11-12 2:10 ` Rik van Riel [this message]
2021-11-12 10:13 ` Christian Brauner
2021-11-12 23:29 ` Dave Marchevsky
2021-11-15 15:28 ` Miklos Szeredi
2022-05-17 16:50 ` Dave Marchevsky
2022-05-18 11:22 ` Christian Brauner
2022-05-18 11:26 ` Miklos Szeredi
2022-05-19 4:56 ` Andrii Nakryiko
2022-05-19 8:59 ` Christian Brauner
2022-05-24 4:35 ` Andrii Nakryiko
2022-05-24 7:07 ` Miklos Szeredi
2022-05-24 14:59 ` Rik van Riel
2022-05-24 15:44 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6bc63e6a9dd4077b021743583fa30325ca87c45.camel@surriel.com \
--to=riel@surriel.com \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=sforshee@digitalocean.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.