-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sandbox: Spit out some info when unsharing userns gets EPERM #3266
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check should be done in become_user()
, not in unshare()
. You can catch the exception there and handle it in the same way.
Ah sorry didn't see this - see my other comment thread: #3266 (comment) I haven't bothered to comprehend the Ubuntu/AppArmor details here but the high level (which I am already appraised of due due to my day job) is: creating user namespaces itself is harmless. The issue is that then you have I think there's some risk that on some system this issue might not manifest in
(Oh actually I think that specific case might already be true - block fs maintainers are under no illusion that their code is safe against arbitrary fs images!) |
What I'm saying is that |
50937cb
to
9524417
Compare
Sure, done |
mkosi/sandbox.py
Outdated
try: | ||
unshare(namespaces) | ||
except OSError as e: | ||
if e.errno == EPERM: | ||
print(UNSHARE_EPERM_MSG, file=sys.stderr) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this really the only one that can fail due to permission issues? Or is this only when apparmor fails? What about if the sysctls are enabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just noticed my Ubuntu system has the kernel.unprivileged_userns_clone
patch, so I tried that out. And indeed if I set that to 0 the failure happens in become_user
. So I've just duplicated the logic there.
I think this could easily happen in a third place too, we probably can't make this foolproof, even if we just do it inside unshare
. (E.g. I know of a certain Linux version that "solves" this problem in a third way that is neither kernel.unprivileged_userns_clone
nor an LSM policy, I dunno where mkosi would fail on that system, I can't easily test it or share the details either).
To try and minimise the pain of this issue (systemd#3265), dump some info that might help users resolve it. I had a quick look around expecting to find a document from Red Hat discussing this topic much like the Ubuntu one I've linked here, but I didn't find it. Hopefully if it exists someone else can add it later. I'm doing this via a direct write to stderr because of the comment at the top of sandbox.py saying to avoid imports. If this is highly undesirable it looks like log.log_notice would be the right choice here (then you don't need the annoying ANSI codes).
Been a long time since I did any real work in the GitHub UI, it's got fancy new features (they still haven't fixed isaacs/github#386 though??), LMK if I'm doing anything stupid here. |
To try and minimise the pain of this issue
(#3265), dump some info that might help users resolve it.
I had a quick look around expecting to find a document from Red Hat discussing this topic much like the Ubuntu one I've linked here, but I didn't find it. Hopefully if it exists someone else can add it later.