[systemd-devel] [PATCH 1/2] Add detect_userns to detect uid/gid shifts
Lennart Poettering
lennart at poettering.net
Thu Jan 8 15:39:23 PST 2015
On Thu, 08.01.15 15:33, Stéphane Graber (stgraber at ubuntu.com) wrote:
> As far as I know there's no obvious way to detect this case (well,
> short of trying a bunch of restricted syscalls). The only way I'm
> aware of is by comparing the target of /proc/self/ns/user to that of
> /proc/<real host pid 1>/ns/user which is doable at the host level
> but isn't once you are in a container with your own pid namespace
> (which since we're talking about pid 1 systemd there can probably be
> assumed).
Hmm, if this is so unreliable to detect maybe we shouldn't after all.
Given that git is no longer fatally failing if it cannot write to oom
adjust I think all is good now?
> >
> > [0]: <lwn.net/Articles/539940/>
> > [1]:
> >
> > [root at tomegun-x240 userns]# ./userns_child_exec -U -M '0 0 4294967295'
> > -G '0 0 4294967295' bash
> > [root at tomegun-x240 userns]# mknod null b 1 3
> > mknod: ‘null’: Operation not permitted
> > [root at tomegun-x240 userns]# mount -t tmpfs none test/
> > mount: permission denied
> > [root at tomegun-x240 userns]# exit
> > exit
> > [root at tomegun-x240 userns]# mknod null b 1 3
> > [root at tomegun-x240 userns]# mount -t tmpfs none test/
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list