[Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space
Eric W. Biederman
ebiederm at xmission.com
Fri Sep 6 00:17:25 UTC 2013
Vivek Goyal <vgoyal at redhat.com> writes:
> On Thu, Sep 05, 2013 at 02:47:25PM -0700, Eric W. Biederman wrote:
>
> [..]
>> >> An important detail to look at is mount propagation, especially on
>> >> fedora. You need to make all of your mounts private to make certain
>> >> mounts don't propogate out and possibly take some defensive measures
>> >> to keep mounts or umounts from propogating in. Remount /proc
>> >> and /sys should be enough to defend against that but it is worth
>> >> thinking about.
>> >
>> > Hi Eric,
>> >
>> > I do make /sbin/kexec's mount namespace private recursively so that no
>> > mount events are propagated in/out.
>> >
>> > + * make root private so that no mount event from previous
>> > namespace
>> > + * are propogated
>> > + */
>> > + ret = mount("", "/", "", MS_REC | MS_PRIVATE, "");
>> > + if (ret == -1) {
>> > + fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
>> > + strerror(errno));
>> > + return -1;
>> > + }
>>
>> That prevents transmission but my previous read of the code says you
>> will still receive mount changes, for mount points the parent shares.
>> Which are all of them in the world of systemd, last I heard.
>
> Hi Eric,
>
> I think I am not understanding something very basic. I am not sure what do
> you mean by "still receive mount changes for mount points the parent shares".
> I tried following.
>
> - Open a terminal
> - mkdir /tmp/kexec-proc
> - mount -t proc none /tmp/kexec-proc
> - Now open another terminal and launch a bash shell with separate mount
> namespace
> unshare -m bash
> - In the new bash shell I can see that proc is mounted on /tmp/kexec-proc
> - In the new bash shell, make / private recursively.
> mount --make-rprivate /
> - Now in original bash shell unmount /tmp/kexec-proc
> - I go back to new bash and there /tmp/kexec-proc is still mounted. So
> changes to original mount namespace did not reflect in this new one. I
> am assuming same will happen when systemd does some changes to initial
> mount namespace and they should not be visible in /sbin/kexec mount
> namespace.
>
> Looks like I am entirely missing the point you are making. Can you please
> elaborate a bit.
My apologies. It appears I had mount --make-rslave / and mount --make-rprivate
scrambled in my head.
Private does indeed prevent mounts from propogating in from the parent
mount namespade.
Eric
More information about the kernel
mailing list