Re: [CFT][PATCH 00/10] Making new mounts of proc and sysfs as safe
as bind mounts (take 2)
[Posted June 10, 2015 by jake]
| From: |
| Richard Weinberger <richard-/L3Ra7n9ekc-AT-public.gmane.org> |
| To: |
| Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA-AT-public.gmane.org>, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ-AT-public.gmane.org> |
| Subject: |
| Re: [CFT][PATCH 00/10] Making new mounts of proc and sysfs as safe as bind mounts (take 2) |
| Date: |
| Thu, 28 May 2015 21:36:18 +0200 |
| Message-ID: |
| <55676E32.3050006@nod.at> |
| Cc: |
| "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w-AT-public.gmane.org>, Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw-AT-public.gmane.org>, Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA-AT-public.gmane.org>, Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA-AT-public.gmane.org>, Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r-AT-public.gmane.org>, Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA-AT-public.gmane.org>, Michael Kerrisk-manpages <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w-AT-public.gmane.org>, Linux FS Devel <linux-fsdevel-u79uwXL29TY76Z2rM5mHXA-AT-public.gmane.org>, Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A-AT-public.gmane.org> |
| Archive‑link: | |
Article |
Am 28.05.2015 um 16:08 schrieb Serge Hallyn:
> Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org):
>> On Fri, May 22, 2015 at 10:39 AM, Eric W. Biederman
>> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>>> I had hoped to get some Tested-By's on that patch series.
>>
>> Sorry, I've been totally swamped.
>>
>> I suspect that Sandstorm is okay, but I haven't had a chance to test
>> it for real. Sandstorm makes only limited use of proc and sysfs in
>> containers, but I'll see if I can test it for real this weekend.
>
> Testing this with unprivileged containers, I get
>
> lxc-start: conf.c: lxc_mount_auto_mounts: 808 Operation not permitted - error mounting sysfs on
/usr/lib/x86_64-linux-gnu/lxc/sys/devices/virtual/net flags 0
>
FWIW, it breaks also libvirt-lxc:
Error: internal error: guest failed to start: Failed to re-mount /proc/sys on /proc/sys flags=1021:
Operation not permitted
Thanks,
//richard
