All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sukadev Bhattiprolu <sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
	Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
Subject: Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG
Date: Tue, 3 May 2011 11:40:31 -0700	[thread overview]
Message-ID: <20110503184031.GD8093@us.ibm.com> (raw)
In-Reply-To: <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>

Serge Hallyn [serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org] wrote:
| Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
| > On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote:
| > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
| > > > Similar to our handling of fds that have been subject to F_SETOWN,
| > > > detect when an fd has had its f_owner->signum changed from the
| > > > default.
| > > > 
| > > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
| > > 
| > > Hey Nathan,
| > > 
| > > Can you give more motivation for this?  Do you just feel that it
| > > isn't worth the risk of mis-coding the check at restart?
| > 
| > The principle here is that we should try to catch at checkpoint time
| > that which we don't handle correctly at restart.  Right now checkpoint
| > apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will
| > show that the signal set before checkpoint has not been preserved.
| 
| Really?  I thought for sure Suka had addressed that.

I did post patches for C/R of file owner (along with file locks), but
don't believe they were merged.  IIRC, the file-owner patches were
blocked on the struct pid changes.
| 
| So if you don't mind, please add 'because we do not reset it at restart'
| to the end of your description?
| 
| > > For safety check, what about forcing such a task to be restarted
| > > in a private pidns?
| > 
| > Sorry, I'm not making the connection between this concern and F_SETSIG
| > and F_GETSIG.  
| 
| The signal signum will only be sent to the task identified, by pid,
| as the owner.  If we weren't doing things right at restart, then
| a malicious restarter could cause any signal to be sent to a pid
| which it shouldn't be able to kill.

We tried to have reset() use the same interface as the original fcntl()
so we would do the same permssion checks.

But for F_SETSIG, there are no permission checks during fcntl(). 

The permission checks are done at the time of actually sending the signal,
so even if restart says SIGKILL, it will not necessarily be delivered ?
| 
| thanks,
| -serge
| _______________________________________________
| Containers mailing list
| Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
| https://lists.linux-foundation.org/mailman/listinfo/containers

  parent reply	other threads:[~2011-05-03 18:40 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-29 21:27 [C/R PATCH] reject checkpoint of fd subject to F_SETSIG Nathan Lynch
     [not found] ` <1304112454-24641-1-git-send-email-ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
2011-05-02 13:18   ` Serge Hallyn
     [not found]     ` <20110502131824.GC9375-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-02 18:34       ` Nathan Lynch
2011-05-02 18:54         ` Serge Hallyn
     [not found]           ` <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-03 18:40             ` Sukadev Bhattiprolu [this message]
     [not found]               ` <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2011-05-03 20:08                 ` Serge E. Hallyn
     [not found]                   ` <20110503200820.GA24419-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-07 17:27                     ` Oren Laadan
2011-05-04  4:53                 ` Oren Laadan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110503184031.GD8093@us.ibm.com \
    --to=sukadev-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org \
    --cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.