Re: Sandbox thoughts

From: ebiederm xmission com (Eric W. Biederman)
To: Alexander Larsson <alexl redhat com>
Cc: gnome-os-list gnome org, mclasen redhat com, Andy Lutomirski <luto amacapital net>
Subject: Re: Sandbox thoughts
Date: Mon, 02 Mar 2015 11:09:01 -0600

Alexander Larsson <alexl redhat com> writes:

On fre, 2015-02-20 at 17:05 -0800, Andy Lutomirski wrote:

On Fri, Feb 20, 2015 at 4:43 PM, Andy Lutomirski <luto amacapital net> wrote:

On Fri, Feb 20, 2015 at 4:31 PM, Eric W. Biederman
<ebiederm xmission com> wrote:

Andy Lutomirski <luto amacapital net> writes:

On Thu, Feb 19, 2015 at 8:38 AM, Alexander Larsson <alexl redhat com> wrote:

On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote:

 - setuid / privileged helper.  Why do you need a privileged helper?
You should be able to do all of this using user namespaces.  The
Sandstorm code linked above does exactly this.


I tried this a bit, but i ran into two snags i don't understand.

First of all, as uid/gid 1000 i can put "1000 1000 1"
in /proc/self/uid_map from the child. However, i cannot put "1000 1000
1" into gid_map, as i get EPERM.
I don't understand this, is this not supposed to work?


You need newer manpages :-/  Try the attached variant.


Yeah.  You need to disable setgroups for that to work.

Secondly, i'm failing to mount another instance of devpts. It fails with
EINVAL.


Hmm.  Off the top of my head, there's no good reason that devpts with
the newinstance option couldn't be allowed in a userns.  Eric, any
thoughts here?  The patch would be straightforward.


Looking at the code you have to have uid 0 and gid 0 mapped and you have
to specify newinstance.  But devepts is mountable without being the
global root user.'


Wow, my grepping skills are nonexistent today.


The restriction of having uid 0 and gid 0 mapped is just that /dev/ptmx is
and has alwasy been owned by root and so mknod_ptmx just won't let you
create a device inode as with a uid or gid you can't map.


All we'd have to do is to add ptmx_uid and ptmx_gid options, right?
I'll send a patch.


With the patch I just sent out, the attached version of the test code works.


Hmm, i also want to have /sys readonly in the container. For things like
OpenGL to work (it needs to look at the pci tables to see what driver to
load). This seems to be problematic, I keep getting EPERM when i try to
mount my own copy of it.

I am able to do a bind mount of the system one, *if* i pass in MS_REC
(which is not necessarily what i want), but I then later fail when
trying to remount it read-only.


MS_REC should be only required if there is something mounted on top of
one of the files in sysfs.  It sounds like there is, and exposing that
file would be a permission issue.

Remount read-only comes in two flavors.  A bind mount remount read-only
which you should be able to perform as non-root and a remount the
filesystem read-only for everyone.  I suspect you simply didn't specify
MS_BIND | MS_RDONLY when attempting to remount sysfs.

Eric

Follow-Ups:
- Re: Sandbox thoughts
  - From: Andy Lutomirski
- Re: Sandbox thoughts
  - From: Alexander Larsson

References:
- Re: Sandbox thoughts
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]