From: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Sukadev Bhattiprolu
<sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"David C. Hansen"
<haveblue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Alexey Dobriyan
<adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
roland-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Pavel Emelyanov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Subject: Re: [RFC][PATCH 2/2] Prevent container-inits from using CLONE_PARENT
Date: Thu, 18 Jun 2009 17:35:01 +0200 [thread overview]
Message-ID: <20090618153501.GA6404@redhat.com> (raw)
In-Reply-To: <20090618025103.GB31672-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
On 06/17, Sukadev Bhattiprolu wrote:
>
> Prevent container-inits from using CLONE_PARENT
>
> If a container-init creates a sibling (using CLONE_PARENT), pid namespace
> semantics become complicated:
>
> - the "active pid namespace" of the sibling will be the descendant
> container, but its not obvious if that is correct.
>
> - if container-init exits, it will terminate the sibling, but again
> its not clear if that is the correct behavior.
>
> - the sibling exists in both parent and child containers while current
> pid namespace semantics assume that only container-init can exist
> in both parent/child containers.
>
> - the parent of the sibling is not a descendant of container-init
> (while pid namespaces assume that all processes in the container
> are descendants of the container-init)
I agree, this all a bit strange and perhaps should be fixed. But afaics,
nothing bad can happen? I mean, if the sub-namespace does stupid things
it can't do a harm to the parent namespace? Or I missed something?
> - When the sibling dies, the SIGCHLD is sent to its parent (if
> alive), i.e the signal escapes the container to a parent container.
The same if container-init exits, we send SIGCHLD up. But yes, I agree,
this is a bit strange.
> (if the parent of the sibling exits, the container-init then becomes
> the reaper of the sibling).
Again, strange but harmless.
> To keep pid namespace semantics simple, prevent container-inits from using
> CLONE_PARENT at least until we have a better understanding of CLONE_PARENT
> and pid-namespace interactions.
Yes, perhaps makes sense.
> --- linux-mmotm.orig/kernel/fork.c 2009-06-17 18:23:23.000000000 -0700
> +++ linux-mmotm/kernel/fork.c 2009-06-17 19:17:54.000000000 -0700
> @@ -974,6 +974,14 @@ static struct task_struct *copy_process(
> if ((clone_flags & CLONE_SIGHAND) && !(clone_flags & CLONE_VM))
> return ERR_PTR(-EINVAL);
>
> + /*
> + * To keep pid namespace semantics simple, prevent container-inits
> + * from creating siblings.
> + */
> + if ((clone_flags & CLONE_PARENT) &&
> + is_container_init(current) && !is_global_init(current))
Both is_ checks are not right afaics. There are per-thread. This means
that container-init can do clone(CLONE_THREAD), and then this thread
does CLONE_PARENT and fools copy_process().
As for !is_global_init(). I never understood what should we do if the
global init does CLONE_PARENT, this attaches another process to swapper,
not good.
Oleg.
next prev parent reply other threads:[~2009-06-18 15:35 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-18 2:47 [RFC][PATCH 0/2] CLONE_PARENT and pid namespaces Sukadev Bhattiprolu
[not found] ` <20090618024743.GA31515-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-06-18 2:49 ` [RFC][PATCH 1/2] Deny CLONE_PARENT|CLONE_NEWPID combination Sukadev Bhattiprolu
[not found] ` <20090618024934.GA31672-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-06-18 3:26 ` Roland McGrath
2009-06-18 3:30 ` Eric W. Biederman
[not found] ` <m1d492jk0k.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-06-18 22:28 ` Sukadev Bhattiprolu
2009-06-18 2:51 ` [RFC][PATCH 2/2] Prevent container-inits from using CLONE_PARENT Sukadev Bhattiprolu
[not found] ` <20090618025103.GB31672-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-06-18 3:20 ` Eric W. Biederman
[not found] ` <m18wjqkz2i.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-06-18 22:40 ` Sukadev Bhattiprolu
2009-06-18 3:28 ` Roland McGrath
2009-06-18 15:35 ` Oleg Nesterov [this message]
[not found] ` <20090618153501.GA6404-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-06-18 15:42 ` Oleg Nesterov
2009-06-18 15:42 ` Oleg Nesterov
2009-06-18 22:52 ` Sukadev Bhattiprolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090618153501.GA6404@redhat.com \
--to=oleg-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=haveblue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=roland-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.