Question about NsJail mounting order
169 views
Skip to first unread message
Greg Owen
Aug 14, 2017, 9:33:23 PM8/14/17
to nsjail
Hello all,
1) it mounts all directories RW at the NsJail root directory
2) it calls pivot_root to make the NsJail root directory the new root
3) it remounts all of the RO directories as RO, using their paths relative to the NsJail root (i.e. /bin instead of /dev/shm/nsjail.root/bin)
This seems strange to me:
1) why mount the RO directories as RW?
2) why remount them as RO *after* calling pivot_root?
The reason that I've even noticed this is that I'm running NsJail inside an LXC container and am specifying the container's permissions via AppArmor.
The order of mounting means that I have to allow attaching any type of directory to the NsJail root directory AND allow attaching RO directories anywhere (since most of them are mounted directly under the NsJail root, which makes them appear as if they were mounted directly under / during step 3 above).
This latter part is the most worrisome, since I have non-NsJail processes running in the same container and this would give them permission to mount potentially-sensitive directories into other locations, defeating my other AppArmor policies (which are based on absolute paths).
Thanks,
Greg
Robert Święcki
Aug 15, 2017, 10:23:34 AM8/15/17
to Greg Owen, nsjail
2017-08-15 3:33 GMT+02:00 Greg Owen <gr...@databricks.com>:
Hello all,I've noticed that NsJail seems to mount directories in an odd order. From what I can tell, this is the order of operations:1) it mounts all directories RW at the NsJail root directory2) it calls pivot_root to make the NsJail root directory the new root3) it remounts all of the RO directories as RO, using their paths relative to the NsJail root (i.e. /bin instead of /dev/shm/nsjail.root/bin)This seems strange to me:1) why mount the RO directories as RW?2) why remount them as RO *after* calling pivot_root?
This might be an answer you didn't expect to hear, but: I don't remember :)
I must have tested various operations in the beginning of nsjail, and possibly it's about the inability to mount other filesystems inside the RO mount point.
If you come to the conclusion (via testing) that this re-mounting is not necessary, I'll be happy to get rid of it, but I believe that was some important reason for its existence that got lost over time :)
The reason that I've even noticed this is that I'm running NsJail inside an LXC container and am specifying the container's permissions via AppArmor.The order of mounting means that I have to allow attaching any type of directory to the NsJail root directory AND allow attaching RO directories anywhere (since most of them are mounted directly under the NsJail root, which makes them appear as if they were mounted directly under / during step 3 above).This latter part is the most worrisome, since I have non-NsJail processes running in the same container and this would give them permission to mount potentially-sensitive directories into other locations, defeating my other AppArmor policies (which are based on absolute paths).
Robert Święcki
Robert Święcki
Aug 15, 2017, 4:41:16 PM8/15/17
to Greg Owen, nsjail
2017-08-15 16:23 GMT+02:00 Robert Święcki <rob...@swiecki.net>:
2017-08-15 3:33 GMT+02:00 Greg Owen <gr...@databricks.com>:Hello all,I've noticed that NsJail seems to mount directories in an odd order. From what I can tell, this is the order of operations:1) it mounts all directories RW at the NsJail root directory2) it calls pivot_root to make the NsJail root directory the new root3) it remounts all of the RO directories as RO, using their paths relative to the NsJail root (i.e. /bin instead of /dev/shm/nsjail.root/bin)This seems strange to me:1) why mount the RO directories as RW?2) why remount them as RO *after* calling pivot_root?This might be an answer you didn't expect to hear, but: I don't remember :)I must have tested various operations in the beginning of nsjail, and possibly it's about the inability to mount other filesystems inside the RO mount point.If you come to the conclusion (via testing) that this re-mounting is not necessary, I'll be happy to get rid of it, but I believe that was some important reason for its existence that got lost over time :)
I think I remember now. It was because if you mount / as RO then you need to create a directory inside it if you want to mount more things inside it.
Therefore the 2-phase working mode.
The reason that I've even noticed this is that I'm running NsJail inside an LXC container and am specifying the container's permissions via AppArmor.The order of mounting means that I have to allow attaching any type of directory to the NsJail root directory AND allow attaching RO directories anywhere (since most of them are mounted directly under the NsJail root, which makes them appear as if they were mounted directly under / during step 3 above).This latter part is the most worrisome, since I have non-NsJail processes running in the same container and this would give them permission to mount potentially-sensitive directories into other locations, defeating my other AppArmor policies (which are based on absolute paths).--Robert Święcki
Robert Święcki
Reply all
Reply to author
Forward
0 new messages