[Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space

Vivek Goyal vgoyal at redhat.com
Thu Sep 5 22:12:49 UTC 2013


On Thu, Sep 05, 2013 at 02:47:25PM -0700, Eric W. Biederman wrote:

[..]
> >> An important detail to look at is mount propagation, especially on
> >> fedora.  You need to make all of your mounts private to make certain
> >> mounts don't propogate out and possibly take some defensive measures
> >> to keep mounts or umounts from propogating in.  Remount /proc
> >> and /sys should be enough to defend against that but it is worth
> >> thinking about.
> >
> > Hi Eric,
> >
> > I do make /sbin/kexec's mount namespace private recursively so that no
> > mount events are propagated in/out.
> >
> > +	 * make root private so that no mount event from previous
> > namespace
> > +	 * are propogated
> > +	 */
> > +	ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
> > +	if (ret == -1) {
> > +		fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
> > +					strerror(errno));
> > +		return -1;
> > +	}
> 
> That prevents transmission but my previous read of the code says you
> will still receive mount changes, for mount points the parent shares.
> Which are all of them in the world of systemd, last I heard.

Hi Eric,

I think I am not understanding something very basic. I am not sure what do
you mean by "still receive mount changes for mount points the parent shares".
I tried following.

- Open a terminal
- mkdir /tmp/kexec-proc
- mount -t proc none /tmp/kexec-proc
- Now open another terminal and launch a bash shell with separate mount
  namespace
  unshare -m bash
- In the new bash shell  I can see that proc is mounted on /tmp/kexec-proc
- In the new bash shell, make / private recursively.
  mount --make-rprivate /
- Now in original bash shell unmount /tmp/kexec-proc
- I go back to new bash and there /tmp/kexec-proc is still mounted. So
  changes to original mount namespace did not reflect in this new one. I
  am assuming same will happen when systemd does some changes to initial
  mount namespace and they should not be visible in /sbin/kexec mount
  namespace.

Looks like I am entirely missing the point you are making. Can you please
elaborate a bit.

Thanks
Vivek


More information about the kernel mailing list