On Mon, Mar 2, 2015 at 9:09 AM, Eric W. Biederman <[email protected]> wrote: > Alexander Larsson <[email protected]> writes: > >> On fre, 2015-02-20 at 17:05 -0800, Andy Lutomirski wrote: >>> On Fri, Feb 20, 2015 at 4:43 PM, Andy Lutomirski <[email protected]> >>> wrote: >>> > On Fri, Feb 20, 2015 at 4:31 PM, Eric W. Biederman >>> > <[email protected]> wrote: >>> >> Andy Lutomirski <[email protected]> writes: >>> >> >>> >>> On Thu, Feb 19, 2015 at 8:38 AM, Alexander Larsson <[email protected]> >>> >>> wrote: >>> >>>> On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote: >>> >>>> >>> >>>>> - setuid / privileged helper. Why do you need a privileged helper? >>> >>>>> You should be able to do all of this using user namespaces. The >>> >>>>> Sandstorm code linked above does exactly this. >>> >>>> >>> >>>> I tried this a bit, but i ran into two snags i don't understand. >>> >>>> >>> >>>> First of all, as uid/gid 1000 i can put "1000 1000 1" >>> >>>> in /proc/self/uid_map from the child. However, i cannot put "1000 1000 >>> >>>> 1" into gid_map, as i get EPERM. >>> >>>> I don't understand this, is this not supposed to work? >>> >>> >>> >>> You need newer manpages :-/ Try the attached variant. >>> >> >>> >> Yeah. You need to disable setgroups for that to work. >>> >> >>> >>>> Secondly, i'm failing to mount another instance of devpts. It fails >>> >>>> with >>> >>>> EINVAL. >>> >>> >>> >>> Hmm. Off the top of my head, there's no good reason that devpts with >>> >>> the newinstance option couldn't be allowed in a userns. Eric, any >>> >>> thoughts here? The patch would be straightforward. >>> >> >>> >> Looking at the code you have to have uid 0 and gid 0 mapped and you have >>> >> to specify newinstance. But devepts is mountable without being the >>> >> global root user.' >>> > >>> > Wow, my grepping skills are nonexistent today. >>> > >>> >> >>> >> The restriction of having uid 0 and gid 0 mapped is just that /dev/ptmx >>> >> is >>> >> and has alwasy been owned by root and so mknod_ptmx just won't let you >>> >> create a device inode as with a uid or gid you can't map. >>> > >>> > All we'd have to do is to add ptmx_uid and ptmx_gid options, right? >>> > I'll send a patch. >>> >>> With the patch I just sent out, the attached version of the test code works. >> >> Hmm, i also want to have /sys readonly in the container. For things like >> OpenGL to work (it needs to look at the pci tables to see what driver to >> load). This seems to be problematic, I keep getting EPERM when i try to >> mount my own copy of it. >> >> I am able to do a bind mount of the system one, *if* i pass in MS_REC >> (which is not necessarily what i want), but I then later fail when >> trying to remount it read-only. > > MS_REC should be only required if there is something mounted on top of > one of the files in sysfs. It sounds like there is, and exposing that > file would be a permission issue. >
What's mounted on /sys? If it's just /sys/fs stuff, then I'd argue that we should exempt it and allow the non-recursive bind mount. --Andy _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
