sandbox: Spit out some info when unsharing userns gets EPERM #3266
Conversation
Ah sorry didn't see this - see my other comment thread: #3266 (comment) I haven't bothered to comprehend the Ubuntu/AppArmor details here but the high level (which I am already appraised of due due to my day job) is: creating user namespaces itself is harmless. The issue is that then you have I think there's some risk that on some system this issue might not manifest in
(Oh actually I think that specific case might already be true - block fs maintainers are under no illusion that their code is safe against arbitrary fs images!) |
|
What I'm saying is that |
bjackman
force-pushed
the
userns
branch
2 times, most recently
from
50937cb to
9524417
Compare
Sure, done |
mkosi/sandbox.py
Outdated
| try: | ||
| unshare(namespaces) | ||
| except OSError as e: | ||
| if e.errno == EPERM: | ||
| print(UNSHARE_EPERM_MSG, file=sys.stderr) | ||
|
|
There was a problem hiding this comment.
Is this really the only one that can fail due to permission issues? Or is this only when apparmor fails? What about if the sysctls are enabled?
There was a problem hiding this comment.
Just noticed my Ubuntu system has the kernel.unprivileged_userns_clone patch, so I tried that out. And indeed if I set that to 0 the failure happens in become_user. So I've just duplicated the logic there.
I think this could easily happen in a third place too, we probably can't make this foolproof, even if we just do it inside unshare. (E.g. I know of a certain Linux version that "solves" this problem in a third way that is neither kernel.unprivileged_userns_clone nor an LSM policy, I dunno where mkosi would fail on that system, I can't easily test it or share the details either).
To try and minimise the pain of this issue (systemd#3265), dump some info that might help users resolve it. I had a quick look around expecting to find a document from Red Hat discussing this topic much like the Ubuntu one I've linked here, but I didn't find it. Hopefully if it exists someone else can add it later. I'm doing this via a direct write to stderr because of the comment at the top of sandbox.py saying to avoid imports. If this is highly undesirable it looks like log.log_notice would be the right choice here (then you don't need the annoying ANSI codes).
|
Been a long time since I did any real work in the GitHub UI, it's got fancy new features (they still haven't fixed isaacs/github#386 though??), LMK if I'm doing anything stupid here. |
To try and minimise the pain of this issue
(#3265), dump some info that might help users resolve it.
I had a quick look around expecting to find a document from Red Hat discussing this topic much like the Ubuntu one I've linked here, but I didn't find it. Hopefully if it exists someone else can add it later.