Skip to content

L
lxc
Switch branch/tag
  1. 29 Jun, 2018 1 commit
    • autodev: adapt to changes in Linux 4.18 · 3e04a608
      Christian Brauner authored 
      Starting with commit
55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.")
Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is
available.
However, these device nodes are useless since

static struct super_block *alloc_super(struct file_system_type *type, int flags,
                                       struct user_namespace *user_ns)
{
        /* <snip> */

        if (s->s_user_ns != &init_user_ns)
                s->s_iflags |= SB_I_NODEV;

        /* <snip> */
}

will set the SB_I_NODEV flag on the filesystem. When a device node created in
non-init userns is open()ed the call chain will hit:

bool may_open_dev(const struct path *path)
{
        return !(path->mnt->mnt_flags & MNT_NODEV) &&
                !(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);
}

which will cause an EPERM because the device node is located on an fs
owned by non-init-userns and thus doesn't grant access to device nodes due to
SB_I_NODEV.

The solution is straightforward. Unless you're real root you should bind-mount
device nodes.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
  3. 27 Jun, 2018 3 commits
  5. 26 Jun, 2018 9 commits
  7. 25 Jun, 2018 4 commits
  9. 22 Jun, 2018 15 commits
  11. 20 Jun, 2018 6 commits
  13. 19 Jun, 2018 2 commits