From: DJ Delorie <dj@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [patch v3] Allow for unpriviledged nested containers
Date: Wed, 17 Nov 2021 17:44:06 -0500 [thread overview]
Message-ID: <xn1r3e2yix.fsf@greed.delorie.com> (raw)
In-Reply-To: <8735nv82i5.fsf@oldenburg.str.redhat.com>
Florian Weimer <fweimer@redhat.com> writes:
>> When running a "make check" in an untrusted podman container, we do
>> not have priviledges to mount a new /proc. Previously, we just failed
>> to initialize the container and thus all test-container tests were
>> "unsupported". With this change, we bind mount the parent's /proc,
>> which we have priviledges to do. Note that MS_REC is needed as /proc
>> typically has things mounted within it, and not mounting those would
>> be a security hole[*].
>
> I see a new test failure with this, elf/tst-pldd. Happens with
> kernel-5.14.17-301.fc35.x86_64, kernel-5.14.13-100.fc33.x86_64,
> linux-image-5.10.0-9-amd64_5.10.70-1, as a non-root user.
Heh, this is a fun one. If you bind mount /proc, you get the
/proc/<pid> from the parent namespace. If you direct mount it as type
"proc" you get the /proc/<pid> from the child namespace.
I.e. the pldd test fails because it's looking at the wrong process.
I suspect the only way around this is to check for the specific
permission (capability?) we need, early, so we can bind mount /proc only
if we know in advance that the direct mount will fail. Or decide that
having the parent's /proc/<pid> would cause more problems than it's
worth and just not have a /proc at all in that case.
next prev parent reply other threads:[~2021-11-17 22:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-15 23:08 DJ Delorie
2021-11-17 11:06 ` Florian Weimer
2021-11-17 22:44 ` DJ Delorie [this message]
2021-11-18 11:35 ` Florian Weimer
2021-11-18 18:37 ` DJ Delorie
2021-11-18 19:47 ` Florian Weimer
2021-11-18 19:52 ` DJ Delorie
2021-11-18 19:55 ` Florian Weimer
2021-11-18 20:18 ` DJ Delorie
2021-11-18 20:20 ` Florian Weimer
2021-11-18 20:25 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xn1r3e2yix.fsf@greed.delorie.com \
--to=dj@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).