kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #183975
[Bug 1582378] Re: Unsharing user and ipc namespaces simultaneously makes mqueue unmountable
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1582378
Title:
Unsharing user and ipc namespaces simultaneously makes mqueue
unmountable
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
Fix Committed
Bug description:
Impact: When the ipc and user namespaces are unshared in a single
system call mqueue will do an internal mount of the new mqueue super
block before the new user namespace is installed. This results in
s_user_ns being set to the parent user ns, however the new ipc ns is
owned by the new user ns. Attempting to mount the mqueue filesystem in
the new user ns results in EBUSY when it should succeed. This breaks
docker when user namespace support is enabled.
Fix: Use the ipc namespace's owner for s_user_ns for all mqueue
mounts. Since mqueue already checks that the user has CAP_SYS_ADMIN in
this namespace for any userspace mounts we already know the user is
sufficiently privileged, and this is really the only arrangement that
makes sense.
Test Case: The following commands will result in a failure to mount
mqueue without the fix; with the fix the mount will succeed.
$ mkdir mnt
$ unshare -Umuniprf --mount-proc bash
# mount -t mqueue mqueue mnt
Originally reported at https://github.com/docker/docker/issues/22633.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1582378/+subscriptions
References