* [C/R PATCH] reject checkpoint of fd subject to F_SETSIG
@ 2011-04-29 21:27 Nathan Lynch
[not found] ` <1304112454-24641-1-git-send-email-ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 8+ messages in thread
From: Nathan Lynch @ 2011-04-29 21:27 UTC (permalink / raw)
To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
Similar to our handling of fds that have been subject to F_SETOWN,
detect when an fd has had its f_owner->signum changed from the
default.
Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
---
fs/checkpoint.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/checkpoint.c b/fs/checkpoint.c
index fd539c5..bf4d2d4 100644
--- a/fs/checkpoint.c
+++ b/fs/checkpoint.c
@@ -265,6 +265,7 @@ static int checkpoint_file_desc(struct ckpt_ctx *ctx,
struct file *file = NULL;
struct fdtable *fdt;
int objref, ret;
+ int signum;
int coe = 0; /* avoid gcc warning */
pid_t pid;
@@ -311,6 +312,13 @@ static int checkpoint_file_desc(struct ckpt_ctx *ctx,
goto out;
}
+ signum = ACCESS_ONCE(file->f_owner.signum);
+ if (signum != 0) {
+ ret = -EBUSY;
+ ckpt_err(ctx, ret, "%(T)fd %d has a signal set (%d)\n", fd, signum);
+ goto out;
+ }
+
/*
* if seen first time, this will add 'file' to the objhash, keep
* a reference to it, dump its state while at it.
--
1.7.4.4
^ permalink raw reply related [flat|nested] 8+ messages in thread[parent not found: <1304112454-24641-1-git-send-email-ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>]
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <1304112454-24641-1-git-send-email-ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> @ 2011-05-02 13:18 ` Serge Hallyn [not found] ` <20110502131824.GC9375-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Serge Hallyn @ 2011-05-02 13:18 UTC (permalink / raw) To: Nathan Lynch; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > Similar to our handling of fds that have been subject to F_SETOWN, > detect when an fd has had its f_owner->signum changed from the > default. > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> Hey Nathan, Can you give more motivation for this? Do you just feel that it isn't worth the risk of mis-coding the check at restart? For safety check, what about forcing such a task to be restarted in a private pidns? I'm not nacking it, don't mind it going in temporarily, but this commit message makes it sound like using F_SETSIG is an application error. thanks, -serge > --- > fs/checkpoint.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/fs/checkpoint.c b/fs/checkpoint.c > index fd539c5..bf4d2d4 100644 > --- a/fs/checkpoint.c > +++ b/fs/checkpoint.c > @@ -265,6 +265,7 @@ static int checkpoint_file_desc(struct ckpt_ctx *ctx, > struct file *file = NULL; > struct fdtable *fdt; > int objref, ret; > + int signum; > int coe = 0; /* avoid gcc warning */ > pid_t pid; > > @@ -311,6 +312,13 @@ static int checkpoint_file_desc(struct ckpt_ctx *ctx, > goto out; > } > > + signum = ACCESS_ONCE(file->f_owner.signum); > + if (signum != 0) { > + ret = -EBUSY; > + ckpt_err(ctx, ret, "%(T)fd %d has a signal set (%d)\n", fd, signum); > + goto out; > + } > + > /* > * if seen first time, this will add 'file' to the objhash, keep > * a reference to it, dump its state while at it. > -- > 1.7.4.4 > > _______________________________________________ > Containers mailing list > Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org > https://lists.linux-foundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20110502131824.GC9375-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>]
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <20110502131824.GC9375-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> @ 2011-05-02 18:34 ` Nathan Lynch 2011-05-02 18:54 ` Serge Hallyn 0 siblings, 1 reply; 8+ messages in thread From: Nathan Lynch @ 2011-05-02 18:34 UTC (permalink / raw) To: Serge Hallyn; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote: > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > > Similar to our handling of fds that have been subject to F_SETOWN, > > detect when an fd has had its f_owner->signum changed from the > > default. > > > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> > > Hey Nathan, > > Can you give more motivation for this? Do you just feel that it > isn't worth the risk of mis-coding the check at restart? The principle here is that we should try to catch at checkpoint time that which we don't handle correctly at restart. Right now checkpoint apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will show that the signal set before checkpoint has not been preserved. > For safety check, what about forcing such a task to be restarted > in a private pidns? Sorry, I'm not making the connection between this concern and F_SETSIG and F_GETSIG. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG 2011-05-02 18:34 ` Nathan Lynch @ 2011-05-02 18:54 ` Serge Hallyn [not found] ` <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Serge Hallyn @ 2011-05-02 18:54 UTC (permalink / raw) To: Nathan Lynch; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote: > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > > > Similar to our handling of fds that have been subject to F_SETOWN, > > > detect when an fd has had its f_owner->signum changed from the > > > default. > > > > > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> > > > > Hey Nathan, > > > > Can you give more motivation for this? Do you just feel that it > > isn't worth the risk of mis-coding the check at restart? > > The principle here is that we should try to catch at checkpoint time > that which we don't handle correctly at restart. Right now checkpoint > apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will > show that the signal set before checkpoint has not been preserved. Really? I thought for sure Suka had addressed that. So if you don't mind, please add 'because we do not reset it at restart' to the end of your description? > > For safety check, what about forcing such a task to be restarted > > in a private pidns? > > Sorry, I'm not making the connection between this concern and F_SETSIG > and F_GETSIG. The signal signum will only be sent to the task identified, by pid, as the owner. If we weren't doing things right at restart, then a malicious restarter could cause any signal to be sent to a pid which it shouldn't be able to kill. thanks, -serge ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>]
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> @ 2011-05-03 18:40 ` Sukadev Bhattiprolu [not found] ` <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Sukadev Bhattiprolu @ 2011-05-03 18:40 UTC (permalink / raw) To: Serge Hallyn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Nathan Lynch Serge Hallyn [serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org] wrote: | Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): | > On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote: | > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): | > > > Similar to our handling of fds that have been subject to F_SETOWN, | > > > detect when an fd has had its f_owner->signum changed from the | > > > default. | > > > | > > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> | > > | > > Hey Nathan, | > > | > > Can you give more motivation for this? Do you just feel that it | > > isn't worth the risk of mis-coding the check at restart? | > | > The principle here is that we should try to catch at checkpoint time | > that which we don't handle correctly at restart. Right now checkpoint | > apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will | > show that the signal set before checkpoint has not been preserved. | | Really? I thought for sure Suka had addressed that. I did post patches for C/R of file owner (along with file locks), but don't believe they were merged. IIRC, the file-owner patches were blocked on the struct pid changes. | | So if you don't mind, please add 'because we do not reset it at restart' | to the end of your description? | | > > For safety check, what about forcing such a task to be restarted | > > in a private pidns? | > | > Sorry, I'm not making the connection between this concern and F_SETSIG | > and F_GETSIG. | | The signal signum will only be sent to the task identified, by pid, | as the owner. If we weren't doing things right at restart, then | a malicious restarter could cause any signal to be sent to a pid | which it shouldn't be able to kill. We tried to have reset() use the same interface as the original fcntl() so we would do the same permssion checks. But for F_SETSIG, there are no permission checks during fcntl(). The permission checks are done at the time of actually sending the signal, so even if restart says SIGKILL, it will not necessarily be delivered ? | | thanks, | -serge | _______________________________________________ | Containers mailing list | Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org | https://lists.linux-foundation.org/mailman/listinfo/containers ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>]
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> @ 2011-05-03 20:08 ` Serge E. Hallyn [not found] ` <20110503200820.GA24419-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2011-05-04 4:53 ` Oren Laadan 1 sibling, 1 reply; 8+ messages in thread From: Serge E. Hallyn @ 2011-05-03 20:08 UTC (permalink / raw) To: Sukadev Bhattiprolu Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Nathan Lynch Quoting Sukadev Bhattiprolu (sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): > | Really? I thought for sure Suka had addressed that. > > I did post patches for C/R of file owner (along with file locks), but > don't believe they were merged. IIRC, the file-owner patches were > blocked on the struct pid changes. Zounds! Acked-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> to Nathan's patch. -serge ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20110503200820.GA24419-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>]
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <20110503200820.GA24419-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> @ 2011-05-07 17:27 ` Oren Laadan 0 siblings, 0 replies; 8+ messages in thread From: Oren Laadan @ 2011-05-07 17:27 UTC (permalink / raw) To: Serge E. Hallyn Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Sukadev Bhattiprolu, Nathan Lynch On 05/03/2011 04:08 PM, Serge E. Hallyn wrote: > Quoting Sukadev Bhattiprolu (sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): >> | Really? I thought for sure Suka had addressed that. >> >> I did post patches for C/R of file owner (along with file locks), but >> don't believe they were merged. IIRC, the file-owner patches were >> blocked on the struct pid changes. > > Zounds! > > Acked-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> > to Nathan's patch. Thanks, will apply shortly. Oren. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [C/R PATCH] reject checkpoint of fd subject to F_SETSIG [not found] ` <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 2011-05-03 20:08 ` Serge E. Hallyn @ 2011-05-04 4:53 ` Oren Laadan 1 sibling, 0 replies; 8+ messages in thread From: Oren Laadan @ 2011-05-04 4:53 UTC (permalink / raw) To: Sukadev Bhattiprolu Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Nathan Lynch On 05/03/2011 02:40 PM, Sukadev Bhattiprolu wrote: > Serge Hallyn [serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org] wrote: > | Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > | > On Mon, 2011-05-02 at 08:18 -0500, Serge Hallyn wrote: > | > > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org): > | > > > Similar to our handling of fds that have been subject to F_SETOWN, > | > > > detect when an fd has had its f_owner->signum changed from the > | > > > default. > | > > > > | > > > Signed-off-by: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org> > | > > > | > > Hey Nathan, > | > > > | > > Can you give more motivation for this? Do you just feel that it > | > > isn't worth the risk of mis-coding the check at restart? > | > > | > The principle here is that we should try to catch at checkpoint time > | > that which we don't handle correctly at restart. Right now checkpoint > | > apparently succeeds, but doing a fcntl(F_GETSIG) after a restart will > | > show that the signal set before checkpoint has not been preserved. > | > | Really? I thought for sure Suka had addressed that. > > I did post patches for C/R of file owner (along with file locks), but > don't believe they were merged. IIRC, the file-owner patches were > blocked on the struct pid changes. Suka: the pid-as-objects changes are now stable and included in the tree. What would it take to get the file-owner patches working on it ? > | > | So if you don't mind, please add 'because we do not reset it at restart' > | to the end of your description? > | > | > > For safety check, what about forcing such a task to be restarted > | > > in a private pidns? > | > > | > Sorry, I'm not making the connection between this concern and F_SETSIG > | > and F_GETSIG. > | > | The signal signum will only be sent to the task identified, by pid, > | as the owner. If we weren't doing things right at restart, then > | a malicious restarter could cause any signal to be sent to a pid > | which it shouldn't be able to kill. > > We tried to have reset() use the same interface as the original fcntl() > so we would do the same permssion checks. > > But for F_SETSIG, there are no permission checks during fcntl(). > > The permission checks are done at the time of actually sending the signal, > so even if restart says SIGKILL, it will not necessarily be delivered ? Sounds ok to me. Thanks, Oren. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-05-07 17:27 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-29 21:27 [C/R PATCH] reject checkpoint of fd subject to F_SETSIG Nathan Lynch
[not found] ` <1304112454-24641-1-git-send-email-ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
2011-05-02 13:18 ` Serge Hallyn
[not found] ` <20110502131824.GC9375-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-02 18:34 ` Nathan Lynch
2011-05-02 18:54 ` Serge Hallyn
[not found] ` <20110502185448.GA32506-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-03 18:40 ` Sukadev Bhattiprolu
[not found] ` <20110503184031.GD8093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2011-05-03 20:08 ` Serge E. Hallyn
[not found] ` <20110503200820.GA24419-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-05-07 17:27 ` Oren Laadan
2011-05-04 4:53 ` Oren Laadan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.