Re: [PATCH] nat: linux-namespaces: Also enter user namespace

public inbox for gdb-patches@sourceware.org
 help / color / mirror / Atom feed

From: Benjamin Berg <benjamin@sipsolutions.net>
To: Tom Tromey <tom@tromey.com>,
	benjamin--- via Gdb-patches <gdb-patches@sourceware.org>
Subject: Re: [PATCH] nat: linux-namespaces: Also enter user namespace
Date: Wed, 20 Sep 2023 10:15:13 +0200	[thread overview]
Message-ID: <04d33930d37979ffc26ea47ced13cbbd15f58479.camel@sipsolutions.net> (raw)
In-Reply-To: <87pm2e6lyu.fsf@tromey.com>

On Tue, 2023-09-19 at 12:45 -0600, Tom Tromey wrote:
> > > > > 
> > From: Benjamin Berg <benjamin@sipsolutions.net>
> > The use of user namespaces is required for normal users to use mount
> > namespaces. Also entering the user namespace means that a normal user
> > can debug processes created that way.
> 
> I was going through my email backlog and didn't see a reply to this.
> 
> I don't know anything about mount namespaces.  How would one test this
> patch?  Is it possible to modify some existing test to exercise the new
> code?

You can easily reproduce it by starting a target process as normal user
using:

$ unshare --mount -r target-process

Then, simply try to attach GDB to i. Without the patch, GDB will not be
able to enter the mount namespace unless it is run using e.g. "sudo"
instead of the original user (in the same way as "unshare --mount"
without "-r" will not work for the normal user). With the patch it will
succeed.

The patch works great for me solving my namespaces problem, but I never
checked if there is a test case that could be modified/extended. If
there is a test case, then it would likely already exercise the new
code path and I would also expect such a test to fail already if run as
a non-root user.

Benjamin

next prev parent reply	other threads:[~2023-09-20  8:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-21 12:01 benjamin
2023-09-19 18:45 ` Tom Tromey
2023-09-20  8:15   ` Benjamin Berg [this message]
2023-12-20 11:42   ` Benjamin Berg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=04d33930d37979ffc26ea47ced13cbbd15f58479.camel@sipsolutions.net \
    --to=benjamin@sipsolutions.net \
    --cc=gdb-patches@sourceware.org \
    --cc=tom@tromey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).