[PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

James Bottomley James.Bottomley at HansenPartnership.com
Mon Nov 21 17:33:55 UTC 2022


On Mon, 2022-11-21 at 16:05 +0100, Greg Kroah-Hartman wrote:
> On Mon, Nov 21, 2022 at 09:03:18AM -0500, James Bottomley wrote:
> > On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:
> > > On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:
[...]
> > > > I already explained in the email that sysfs contains APIs like
> > > > simple_pin_... which are completely inimical to namespacing.
> > > 
> > > Then how does the networking code handle the namespace stuff in
> > > sysfs? That seems to work today, or am I missing something?
> > 
> > have you actually tried?
> > 
> > jejb at lingrow:~> sudo unshare --net bash
> > lingrow:/home/jejb # ls /sys/class/net/
> > lo  tun0  tun10  wlan0
> > lingrow:/home/jejb # ip link show
> > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT
> > group
> > default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > 
> > So, as you see, I've entered a network namespace and ip link shows
> > me the only interface I can see in that namespace (a down loopback)
> > but sysfs shows me every interface on the system outside the
> > namespace.
> 
> Then all of the code in include/kobject_ns.h is not being used?  We
> have a whole kobject namespace set up for networking, I just assumed
> they were using it.  If not, I'm all for ripping it out.

Hm, looking at the implementation, it seems to trigger off the
superblock (meaning you have to remount inside a mount namespace) and
it only works to control visibility in label based namespaces, so this
does actually work

jejb at lingrow:~/git/linux> sudo unshare  --net --mount bash 
lingrow:/home/jejb # mount -t sysfs none /sys
lingrow:/home/jejb # ls /sys/class/net/
lo

The label based approach means that any given file can be shown in one
and only one namespace, which works for net, but not much else
(although it probably could be adapted).

James



More information about the Linux-security-module-archive mailing list