On Wed, Mar 07, 2018 at 11:44:35AM -0800, Linus Torvalds wrote: > On Wed, Mar 7, 2018 at 8:17 AM, Christian Brauner > <christian.brau...@canonical.com> wrote: > > > > unshare --mount > > mount --bind /dev/pts/ptmx /dev/ptmx > > chmod 666 /dev/ptmx > > Oh. Why are you using a bind mount in the first place?
Containers employing user namespaces can't mknod() and because of the way some LSMs check access permissions (path-based AppArmor being one example) a symlink to /dev/pts/ptmx won't work either so a bind-mount seems like the most reliable solution. > > Anyway, I guess we just have to add another special case for this. > > Which doesn't look horrible. Right now path_pts() just does > > ret = path_parent_directory(path); > > and that simply doesn't work for a bind mount file. > > I think we could just change path_parent_directory() to go through > file bind mounts. The other user is follow_dotdot(), but that always > takes a directory, so it wouldn't be affected. > > But it's probably safer to just teach path_pts to just walk up the > bind mount first, and then do the existing path_parent_directory. > > Anybody want to just try that thing? Sure. I can try and take a look. Christian
