From: Oleg Nesterov <oleg@redhat.com>
To: Grzegorz Nosek <root@localdomain.pl>
Cc: Matt Helsley <matthltc@us.ibm.com>,
Roland McGrath <roland@redhat.com>,
Sukadev Bhattiprolu <sukadev@us.ibm.com>,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: Testing lxc 0.6.5 in Fedora 13
Date: Fri, 26 Mar 2010 13:00:28 +0100 [thread overview]
Message-ID: <20100326120028.GA11311@redhat.com> (raw)
In-Reply-To: <20100326113201.GB17113@megiteam.pl>
On 03/26, Grzegorz Nosek wrote:
>
> On Fri, Mar 26, 2010 at 12:11:31PM +0100, Oleg Nesterov wrote:
> > Yes, this is broken. More precisely, this wasn't even supposed to work.
> >
> > Even stracing of the sub-init itself (or global init btw) has problems,
> > the straced init is not protected from unwanted signals.
>
> Is this impossible/very hard to do cleanly? I understand that container's
> init becomes vulnerable to signals sent from root-owned processes in the
> container. If so, the impact of this issue should be quite limited, no?
Yes, probably we can ignore this.
> > Yes. First of all, tracehook_report_clone_complete() reports the wrong pid nr,
> > as it seen inside the init's namespace. This is easy to fix, but I doubt this
> > can help. IIRC strace doesn't use PTRACE_GETEVENTMSG at all, it looks at eax
> > after syscall.
> >
> > which patch?
>
> The patch below posted by Matt. AIUI, it fixes the
> tracehook_report_clone_complete() part, which results in an observable
> change in strace's behaviour (not that it makes strace work, though).
I guess it doesn't work because we need to fix strace, see "strace doesn't
use PTRACE_GETEVENTMSG" above.
> Anyway, are there any remaining issues on the kernel side or does strace
> have to be taught about pid namespaces?
At first glance, I don't see other problems, except sometimes the reported
pid is wrong (like in do_fork).
> + ptrace_pid_vnr = nr;
> + if (unlikely(p->parent != p->real_parent)) {
> + rcu_read_lock();
> + ptrace_pid_vnr = task_pid_nr_ns(p, p->parent->nsproxy->pid_ns);
Yes, this is what I meant.
But we should not do this in do_fork().
But once again. This change fixes the value in "tracee->ptrace_message == newpid",
but a quick grep shows that strace-4.5.19 doesn't use PTRACE_GETEVENTMSG at all.
Oleg.
next prev parent reply other threads:[~2010-03-26 12:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-21 19:50 Testing lxc 0.6.5 in Fedora 13 Grzegorz Nosek
2010-03-23 21:28 ` Matt Helsley
2010-03-24 9:25 ` Greg Kurz
[not found] ` <20100323212834.GH20796-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-03-24 9:25 ` Greg Kurz
2010-03-25 21:33 ` Grzegorz Nosek
2010-03-25 21:33 ` Grzegorz Nosek
2010-03-26 11:11 ` Oleg Nesterov
2010-03-26 11:32 ` Grzegorz Nosek
2010-03-26 12:00 ` Oleg Nesterov [this message]
[not found] ` <20100326120028.GA11311-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-26 12:46 ` Matt Helsley
2010-03-26 12:46 ` Matt Helsley
[not found] ` <20100326124619.GC3345-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-03-26 13:34 ` Oleg Nesterov
2010-03-26 13:34 ` Oleg Nesterov
[not found] ` <20100326113201.GB17113-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2010-03-26 12:00 ` Oleg Nesterov
[not found] ` <20100326111131.GA8604-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-26 11:32 ` Grzegorz Nosek
2010-03-26 11:53 ` Matt Helsley
2010-03-26 11:53 ` Matt Helsley
2010-03-26 12:45 ` Grzegorz Nosek
[not found] ` <20100326124522.GD17113-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2010-03-26 12:54 ` Matt Helsley
2010-03-26 13:47 ` Oleg Nesterov
2010-03-26 12:54 ` Matt Helsley
[not found] ` <20100326125459.GD3345-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-03-26 13:56 ` Oleg Nesterov
2010-03-26 13:56 ` Oleg Nesterov
2010-03-26 13:47 ` Oleg Nesterov
[not found] ` <20100326134709.GB15790-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-04-06 3:44 ` Roland McGrath
2010-04-06 3:44 ` Roland McGrath
[not found] ` <20100406034443.8B40ED477-nL1rrgvulkc2UH6IwYuUx0EOCMrvLtNR@public.gmane.org>
2010-04-06 13:53 ` Matt Helsley
2010-04-06 13:53 ` Matt Helsley
2010-04-06 14:36 ` Oleg Nesterov
[not found] ` <20100406143635.GA12315-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-04-06 15:17 ` Eric W. Biederman
2010-04-06 15:17 ` Eric W. Biederman
[not found] ` <20100406135345.GC3345-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-04-06 14:36 ` Oleg Nesterov
2010-04-06 15:13 ` Eric W. Biederman
2010-04-06 15:13 ` Eric W. Biederman
2010-04-06 15:29 ` Matt Helsley
[not found] ` <m1vdc48vhy.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-04-06 15:29 ` Matt Helsley
[not found] ` <20100326115357.GA3345-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-03-26 12:45 ` Grzegorz Nosek
[not found] ` <20100325213356.GB20541-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2010-03-26 11:11 ` Oleg Nesterov
[not found] ` <20100321195044.GA23757-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2010-03-23 21:28 ` Matt Helsley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100326120028.GA11311@redhat.com \
--to=oleg@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=roland@redhat.com \
--cc=root@localdomain.pl \
--cc=sukadev@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.