Re: Sandbox thoughts
- From: Andy Lutomirski <luto amacapital net>
- To: Alexander Larsson <alexl redhat com>
- Cc: gnome-os-list gnome org, mclasen redhat com, "Eric W. Biederman" <ebiederm xmission com>
- Subject: Re: Sandbox thoughts
- Date: Thu, 5 Mar 2015 15:26:02 -0800
On Wed, Mar 4, 2015 at 3:14 AM, Alexander Larsson <alexl redhat com> wrote:
On tis, 2015-03-03 at 09:34 -0800, Andy Lutomirski wrote:
On Mon, Mar 2, 2015 at 11:59 PM, Alexander Larsson <alexl redhat com> wrote:
Also, I'd like to make all the recursively bound subtrees readonly. Is
there a better way to do this than enumerating all mounts and remounting
all that are under /sys.
In fact this is a general problem i have with recursive bind mounts. If
I want to grant access to some directory with limited access (for
example read-only or nosuid) then I have to use a recursive bind mount,
but the remount is not recursive, and furthermore, it does not apply to
later mounts that get propagated into my namespace.
Oh, yuck.
We should finally just make readonly bind mounts work in the first
place. You can partially mitigate this my remounting private before
you remount ro, though.
I generally run in slave mode, which is what I want here. Either I'm in
hard containment mode, and something like /mnt will not even mounted in
the container, or I'm allowing some form of access to the system/user
files. If this contains e.g. /mnt then I definitely *do* want to get new
mounts (say if the user inserted a usb stick).
Fair enough.
Eric, I don't understand the mount propagation code at all. Could
there be "propagate read-only" mode? (Presumably along with nodev,
nosuid, and noexec.)
--Andy
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl redhat com alexander larsson gmail com
He's an uncontrollable drug-addicted boxer who knows the secret of the
alien invasion. She's a cosmopolitan renegade mechanic from the wrong
side of the tracks. They fight crime!
--
Andy Lutomirski
AMA Capital Management, LLC
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]