Processed: Re: Bug#841026: Pull: "userns: proc and sysfs mount fix"
Processing control commands: > tag -1 moreinfo Bug #841026 [src:linux] Pull: "userns: proc and sysfs mount fix" Added tag(s) moreinfo. -- 841026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841026 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#841026: Pull: "userns: proc and sysfs mount fix"
Control: tag -1 moreinfo On Sun, 2016-10-16 at 21:33 -0300, Dato Simó wrote: > Package: linux-image-3.16.0-4-amd64 > Version: 3.16.7-ckt17-1 > > The upload to jessie of linux 3.16.7-ckt17-1 included the following > change: > > - mnt: Refactor the logic for mounting sysfs and proc in a user > namespace [1] > > This broke mounting sysfs and procfs under a user namespace. It prevents mounting sysfs and procfs if they are not already mounted somewhere else in the current mount namespace and fully visible. So if a container is set up with limited access (or no access) to one of these filesystem types, nothing inside that container is allowed to change that. Did you rely on that being allowed? Or are you mounting in some other way that you think is wrongly being disallowed? > There is a fix at [2] that claims to solve the problem. [...] No, it claims to make the test slightly stricter. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#841026: Pull: "userns: proc and sysfs mount fix"
Processing control commands: > tags -1 - moreinfo Bug #841026 [linux-image-3.16.0-4-amd64] Pull: "userns: proc and sysfs mount fix" Removed tag(s) moreinfo. -- 841026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841026 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#841026: Pull: "userns: proc and sysfs mount fix"
Control: tags -1 - moreinfo > Are you sure you are seening the same bug? AFAICT, the > > mnt: Fix fs_fully_visible to verify the root directory is visible > > is as well included in the 3.16.7-ckt17-1 upload. Oh! That's a very good point indeed, thank you. I hadn't noticed. I tried 3.16.7-ckt17-1: still get EPERM when trying to mount /proc on a user namespace. For reference, I'm seeing the bug when using vagga, a tool to manage user namespaces. The bug seems awfully similar to https://github.com/tailhook/vagga/issues/12. I'm going to leave a note in that bug pointing to here. I have no idea what's going on, but the symptoms are the same. Thanks! -d
Bug#841026: Pull: "userns: proc and sysfs mount fix"
Control: tags -1 + moreinfo Hi Dato, On Sun, Oct 16, 2016 at 09:33:57PM -0300, Dato Simó wrote: > Package: linux-image-3.16.0-4-amd64 > Version: 3.16.7-ckt17-1 > > The upload to jessie of linux 3.16.7-ckt17-1 included the following > change: > > - mnt: Refactor the logic for mounting sysfs and proc in a user > namespace [1] > > This broke mounting sysfs and procfs under a user namespace. There is a > fix at [2] that claims to solve the problem. > > It would be great if this fix could be included in the next upload to > jessie. > > Sadly, I haven't had time to run on my machine a kernel that includes > that fix. I do know, however, that the problem is still present in > 3.16.36-1+deb8u1. Are you sure you are seening the same bug? AFAICT, the mnt: Fix fs_fully_visible to verify the root directory is visible is as well included in the 3.16.7-ckt17-1 upload. Regards, Salvatore
Processed: Re: Bug#841026: Pull: "userns: proc and sysfs mount fix"
Processing control commands: > tags -1 + moreinfo Bug #841026 [linux-image-3.16.0-4-amd64] Pull: "userns: proc and sysfs mount fix" Added tag(s) moreinfo. -- 841026: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841026 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#841026: Pull: "userns: proc and sysfs mount fix"
Package: linux-image-3.16.0-4-amd64 Version: 3.16.7-ckt17-1 The upload to jessie of linux 3.16.7-ckt17-1 included the following change: - mnt: Refactor the logic for mounting sysfs and proc in a user namespace [1] This broke mounting sysfs and procfs under a user namespace. There is a fix at [2] that claims to solve the problem. It would be great if this fix could be included in the next upload to jessie. Sadly, I haven't had time to run on my machine a kernel that includes that fix. I do know, however, that the problem is still present in 3.16.36-1+deb8u1. Thanks for considering, -d [1]: Original commit (I believe): https://patchwork.kernel.org/patch/6408681/ [2]: Fix: https://lists.linuxfoundation.org/pipermail/containers/2015-May/035874.html