[Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space

Eric W. Biederman ebiederm at xmission.com
Fri Sep 6 00:17:25 UTC 2013 

Vivek Goyal <vgoyal at redhat.com> writes:

> On Thu, Sep 05, 2013 at 02:47:25PM -0700, Eric W. Biederman wrote:
>
> [..]
>> >> An important detail to look at is mount propagation, especially on
>> >> fedora.  You need to make all of your mounts private to make certain
>> >> mounts don't propogate out and possibly take some defensive measures
>> >> to keep mounts or umounts from propogating in.  Remount /proc
>> >> and /sys should be enough to defend against that but it is worth
>> >> thinking about.
>> >
>> > Hi Eric,
>> >
>> > I do make /sbin/kexec's mount namespace private recursively so that no
>> > mount events are propagated in/out.
>> >
>> > +	 * make root private so that no mount event from previous
>> > namespace
>> > +	 * are propogated
>> > +	 */
>> > +	ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
>> > +	if (ret == -1) {
>> > +		fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
>> > +					strerror(errno));
>> > +		return -1;
>> > +	}
>> 
>> That prevents transmission but my previous read of the code says you
>> will still receive mount changes, for mount points the parent shares.
>> Which are all of them in the world of systemd, last I heard.
>
> Hi Eric,
>
> I think I am not understanding something very basic. I am not sure what do
> you mean by "still receive mount changes for mount points the parent shares".
> I tried following.
>
> - Open a terminal
> - mkdir /tmp/kexec-proc
> - mount -t proc none /tmp/kexec-proc
> - Now open another terminal and launch a bash shell with separate mount
>   namespace
>   unshare -m bash
> - In the new bash shell  I can see that proc is mounted on /tmp/kexec-proc
> - In the new bash shell, make / private recursively.
>   mount --make-rprivate /
> - Now in original bash shell unmount /tmp/kexec-proc
> - I go back to new bash and there /tmp/kexec-proc is still mounted. So
>   changes to original mount namespace did not reflect in this new one. I
>   am assuming same will happen when systemd does some changes to initial
>   mount namespace and they should not be visible in /sbin/kexec mount
>   namespace.
>
> Looks like I am entirely missing the point you are making. Can you please
> elaborate a bit.

My apologies.  It appears I had mount --make-rslave / and mount --make-rprivate
scrambled in my head.

Private does indeed prevent mounts from propogating in from the parent
mount namespade.

Eric

More information about the kernel mailing list