From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 513323858439 for ; Wed, 17 Nov 2021 22:44:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 513323858439 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-19-uxB5MVejPoKpUObnu9I8fg-1; Wed, 17 Nov 2021 17:44:08 -0500 X-MC-Unique: uxB5MVejPoKpUObnu9I8fg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E360D100CC84 for ; Wed, 17 Nov 2021 22:44:07 +0000 (UTC) Received: from greed.delorie.com (ovpn-112-96.phx2.redhat.com [10.3.112.96]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B55D85FC13; Wed, 17 Nov 2021 22:44:07 +0000 (UTC) Received: from greed.delorie.com.redhat.com (localhost [127.0.0.1]) by greed.delorie.com (8.15.2/8.15.2) with ESMTP id 1AHMi6tS2945801; Wed, 17 Nov 2021 17:44:06 -0500 From: DJ Delorie To: Florian Weimer Cc: libc-alpha@sourceware.org Subject: Re: [patch v3] Allow for unpriviledged nested containers In-Reply-To: <8735nv82i5.fsf@oldenburg.str.redhat.com> Date: Wed, 17 Nov 2021 17:44:06 -0500 Message-ID: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-6.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Nov 2021 22:44:12 -0000 Florian Weimer writes: >> When running a "make check" in an untrusted podman container, we do >> not have priviledges to mount a new /proc. Previously, we just failed >> to initialize the container and thus all test-container tests were >> "unsupported". With this change, we bind mount the parent's /proc, >> which we have priviledges to do. Note that MS_REC is needed as /proc >> typically has things mounted within it, and not mounting those would >> be a security hole[*]. > > I see a new test failure with this, elf/tst-pldd. Happens with > kernel-5.14.17-301.fc35.x86_64, kernel-5.14.13-100.fc33.x86_64, > linux-image-5.10.0-9-amd64_5.10.70-1, as a non-root user. Heh, this is a fun one. If you bind mount /proc, you get the /proc/ from the parent namespace. If you direct mount it as type "proc" you get the /proc/ from the child namespace. I.e. the pldd test fails because it's looking at the wrong process. I suspect the only way around this is to check for the specific permission (capability?) we need, early, so we can bind mount /proc only if we know in advance that the direct mount will fail. Or decide that having the parent's /proc/ would cause more problems than it's worth and just not have a /proc at all in that case.