From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id WErWHVSDLmBzJwAA0tVLHw (envelope-from ) for ; Thu, 18 Feb 2021 15:10:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id qMOnGVSDLmDyDgAAB5/wlQ (envelope-from ) for ; Thu, 18 Feb 2021 15:10:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B8E99291FF for ; Thu, 18 Feb 2021 16:10:11 +0100 (CET) Received: from localhost ([::1]:39064 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lCkwU-0003TG-UA for larch@yhetil.org; Thu, 18 Feb 2021 10:10:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lCkwM-0003Ss-Rt for bug-guix@gnu.org; Thu, 18 Feb 2021 10:10:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:36158) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lCkwM-0005AM-J9 for bug-guix@gnu.org; Thu, 18 Feb 2021 10:10:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lCkwM-0000rI-Dy for bug-guix@gnu.org; Thu, 18 Feb 2021 10:10:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46292: =?UTF-8?Q?=E2=80=98guix?= environment =?UTF-8?Q?-C=E2=80=99?= fails with Linux 4.19 (Debian) Resent-From: Lucas Nussbaum Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 18 Feb 2021 15:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46292 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 46292-submit@debbugs.gnu.org id=B46292.16136609833271 (code B ref 46292); Thu, 18 Feb 2021 15:10:02 +0000 Received: (at 46292) by debbugs.gnu.org; 18 Feb 2021 15:09:43 +0000 Received: from localhost ([127.0.0.1]:47704 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCkw3-0000qh-Aw for submit@debbugs.gnu.org; Thu, 18 Feb 2021 10:09:43 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:54010) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCjU2-0006gz-P5 for 46292@debbugs.gnu.org; Thu, 18 Feb 2021 08:36:43 -0500 X-IronPort-AV: E=Sophos;i="5.81,187,1610406000"; d="scan'208";a="373444665" Received: from xanadu.blop.info ([178.79.145.134]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Feb 2021 14:36:10 +0100 Date: Thu, 18 Feb 2021 14:23:34 +0100 From: Lucas Nussbaum Message-ID: <20210218132334.GC20744@xanadu.blop.info> References: <87h7ms8658.fsf@inria.fr> <20210210060403.GA15175@xanadu.blop.info> <877dn5sj14.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <877dn5sj14.fsf_-_@gnu.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-Mailman-Approved-At: Thu, 18 Feb 2021 10:09:41 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46292@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.37 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: B8E99291FF X-Spam-Score: -2.37 X-Migadu-Scanner: scn1.migadu.com X-TUID: a1WmVamaGYED Hi Ludovic, On 18/02/21 at 12:38 +0100, Ludovic Courtès wrote: > Hi Lucas, > > Lucas Nussbaum skribis: > > > This is not due to NFS, but due to the fact that the NFS mount is > > mounted nosuid (and nodev, probably). I can reproduce it on a local > > filesystem mounted nosuid. > > > > It seems that, when remounting a bind mount which is originally nosuid > > inside a mount ns, you need to specify explicitely the nosuid option, or > > else can_change_locked_flags()[1] will return false. > > > > [1] https://github.com/torvalds/linux/blame/master/fs/namespace.c#L2480 > > > > There's a concept of "locked mount flags" that cannot be cleared by a > > less privileged user (see [2]). Our call to 'mount -o remount' ignores the > > fact that the filesystem is mounted nosuid (and does not include this > > flag), so the remount call tries to remove nosuid, and fails. > > > > [2] https://github.com/torvalds/linux/commit/9566d6742852c527bf5af38af5cbb878dad75705 > > Ooh, thanks for investigating! > > > This probably needs to be fixed in Guix by fetching the current mount > > flags and including them in the bind+remount+readonly call. > > Unfortunately I did not find an easy way to convert mount flags in > > /proc/$$/mountinfo to flags for the mount syscall... > > I tried grabbing mount options from there and reapplying them to the > MS_REMOUNT call (patch below). However, that still doesn’t work: > > --8<---------------cut here---------------start------------->8--- > 14273 mount("/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", "/tmp/guix-directory.Plgkgt//gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", 0x236a4b0, MS_RDONLY|MS_REMOUNT|MS_BIND, "rw,nosuid,nodev,relatime") = -1 EPERM (Operation not permitted) > --8<---------------cut here---------------end--------------->8--- That's strange: it worked in my manual tests. > Interestingly, the ‘mount’ command does not attempt to re-apply the > original mount options (“nosuid” & co.): > > --8<---------------cut here---------------start------------->8--- > # strace -e mount mount --bind -o ro t m > mount("/home/lcourtes/t", "/home/lcourtes/m", 0x564dde270cb0, MS_RDONLY|MS_BIND, NULL) = 0 > mount("none", "/home/lcourtes/m", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted) > mount: /home/lcourtes/m: filesystem was mounted, but any subsequent operation failed: Unknown error 5005. > +++ exited with 32 +++ > # mount --version > mount from util-linux 2.33.1 (libmount 2.33.1: selinux, smack, btrfs, namespaces, assert, debug) > --8<---------------cut here---------------end--------------->8--- > > To be continued… I think that's something I also initially misunderstood as well: mount -o remount, essentially means: remount the filesystem with a fresh set of flags. The set of flags previously configured is completely ignored. Lucas