Re: CLONE_PARENT after setns(CLONE_NEWPID)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>,
	Brad Spengler <spender@grsecurity.net>,
	Christian Seiler <christian@iwakd.de>,
	lkml <linux-kernel@vger.kernel.org>,
	Andy Whitcroft <apw@canonical.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Lxc development list <lxc-devel@lists.sourceforge.net>
Subject: Re: CLONE_PARENT after setns(CLONE_NEWPID)
Date: Wed, 6 Nov 2013 21:06:50 +0100	[thread overview]
Message-ID: <20131106200650.GA20212@redhat.com> (raw)
In-Reply-To: <CALCETrV=G30_4bVQbRF0Z9kzYpP8V+aUf-uZES+qVD5MXEAWZQ@mail.gmail.com>

On 11/06, Andy Lutomirski wrote:
>
> On Wed, Nov 6, 2013 at 11:33 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> > Hi Serge,
> >
> > On 11/06, Serge Hallyn wrote:
> >>
> >> Hi Oleg,
> >>
> >> commit 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e :
> >> "fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks"
> >> breaks lxc-attach in 3.12.  That code forks a child which does
> >> setns() and then does a clone(CLONE_PARENT).  That way the
> >> grandchild can be in the right namespaces (which the child was
> >> not) and be a child of the original task, which is the monitor.
> >
> > Thanks...
> >
> > Yes, this is what 40a0d32d1ea explicitly tries to disallow.
> >
> >> Is there a real danger in allowing CLONE_PARENT
> >> when current->nsproxy->pidns_for_children is not our pidns,
> >> or was this done out of an "over-abundance of caution"?
> >
> > I am not sure... This all was based on the long discussion, and
> > it was decided that the CLONE_PARENT check should be consistent
> > wrt CLONE_NEWPID and pidns_for_children != task_active_pid_ns().
> >
> >> Can we
> >> safely revert that new extra check?
> >
> > Well, usually we do not break user-space, but I am not sure about
> > this case...
>
> Presumably if we allow this, then we should also allow
> clone(CLONE_NEWPID | CLONE_PARENT).

Yes, agreed. but this means another change, this was forbidden even
before this commit.

> This seems a little odd, but off
> the top of my head it doesn't seem obviously dangerous.

I do not see any "strong" reason too. At least right now... But I would
say that it would be better to not allow to abuse ->real_parent, it
doesn't event know about the new child (if CLONE_PARENT).

> (Why were we worried about this in the first place?  The comment says
> that we don't want signal handlers or thread groups to span
> namespaces, but CLONE_PARENT has nothing to do with that.)

it also says "or parent" ;)

> I feel like I'm rehashing something ancient, but shouldn't that code just be:
>
> if (clone_flags & CLONE_VM) {
>   // check for unsharing namespaces

No, this will break vfork().

And note that CLONE_SIGHAND was disallowed "just in case" and because
do_fork() had a similar check. Sharing the signal handlers is fine afaics.

>From e79f525e:

	We could probably even drop CLONE_SIGHAND and use CLONE_THREAD, but it
	would be safer to not do this.  The current check denies CLONE_SIGHAND
	implicitely and there is no reason to change this.

And I disagree with

	Eric said "CLONE_SIGHAND is fine.  CLONE_THREAD would be even better.
	Having shared signal handling between two different pid namespaces is
	the case that we are fundamentally guarding against."

added during the merging ;) Or perhaps I misunderstood the text above. But this
all is off-topic.

Oleg.

next prev parent reply	other threads:[~2013-11-06 20:05 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-06 18:02 CLONE_PARENT after setns(CLONE_NEWPID) Serge Hallyn
2013-11-06 19:33 ` Oleg Nesterov
2013-11-06 19:50   ` Andy Lutomirski
2013-11-06 20:06     ` Oleg Nesterov [this message]
2013-11-06 20:21       ` Andy Lutomirski
2013-11-06 22:50   ` Eric W. Biederman
2013-11-06 22:56     ` Andy Lutomirski
2013-11-06 23:17       ` Serge Hallyn
2013-11-06 23:12     ` Serge Hallyn
2013-11-06 23:31     ` Christian Seiler
2013-11-08 17:22     ` Oleg Nesterov
2014-01-15 21:11     ` Christian Seiler
2014-01-16  4:46       ` Serge Hallyn
2013-11-06 22:53   ` Serge Hallyn
2013-11-06 22:53     ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131106200650.GA20212@redhat.com \
    --to=oleg@redhat.com \
    --cc=apw@canonical.com \
    --cc=christian@iwakd.de \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=lxc-devel@lists.sourceforge.net \
    --cc=serge.hallyn@ubuntu.com \
    --cc=spender@grsecurity.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.