[RFC PATCH v4 04/12] kmod - add namespace aware thread runner

[Ian Kent <raven@themaw.net>]

From: Ian Kent <ikent@redhat.com>

Make usermode helper thread runner namespace aware.

Signed-off-by: Ian Kent <ikent@redhat.com>
Cc: Benjamin Coddington <bcodding@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: J. Bruce Fields <bfields@fieldses.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: Oleg Nesterov <onestero@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Jeff Layton <jeff.layton@primarydata.com>
---
 include/linux/kmod.h |   12 ++++++
 kernel/kmod.c        |   98 ++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 106 insertions(+), 4 deletions(-)

diff --git a/include/linux/kmod.h b/include/linux/kmod.h
index e647ddb..64c81c9 100644
--- a/include/linux/kmod.h
+++ b/include/linux/kmod.h
@@ -25,6 +25,7 @@
 #include <linux/compiler.h>
 #include <linux/workqueue.h>
 #include <linux/sysctl.h>
+#include <linux/user_namespace.h>
 
 #define KMOD_PATH_LEN 256
 
@@ -52,6 +53,14 @@ struct file;
 #define UMH_WAIT_EXEC	1	/* wait for the exec, but not the process */
 #define UMH_WAIT_PROC	2	/* wait for the process to complete */
 #define UMH_KILLABLE	4	/* wait for EXEC/PROC killable */
+#define UMH_USE_NS	32	/* exec using caller's init namespace */
+
+#ifdef CONFIG_NAMESPACES
+struct umh_ns_info {
+	struct nsproxy *nsproxy;
+	struct user_namespace *user_ns;
+};
+#endif
 
 struct subprocess_info {
 	struct work_struct work;
@@ -64,6 +73,9 @@ struct subprocess_info {
 	int (*init)(struct subprocess_info *info, struct cred *new);
 	void (*cleanup)(struct subprocess_info *info);
 	void *data;
+#ifdef CONFIG_NAMESPACES
+	struct umh_ns_info nsinfo;
+#endif
 };
 
 extern int
diff --git a/kernel/kmod.c b/kernel/kmod.c
index e968e2d..213dbe0 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -39,6 +39,7 @@
 #include <linux/rwsem.h>
 #include <linux/ptrace.h>
 #include <linux/async.h>
+#include <linux/proc_ns.h>
 #include <asm/uaccess.h>
 
 #include <trace/events/module.h>
@@ -303,11 +304,8 @@ static int wait_for_helper(void *data)
 	do_exit(0);
 }
 
-/* This is run by khelper thread  */
-static void __call_usermodehelper(struct work_struct *work)
+static pid_t umh_kernel_thread(struct subprocess_info *sub_info)
 {
-	struct subprocess_info *sub_info =
-		container_of(work, struct subprocess_info, work);
 	pid_t pid;
 
 	if (sub_info->flags & UMH_WAIT_PROC)
@@ -316,7 +314,99 @@ static void __call_usermodehelper(struct work_struct *work)
 	else
 		pid = kernel_thread(____call_usermodehelper, sub_info,
 				    SIGCHLD);
+	return pid;
+}
+
+#ifndef CONFIG_NAMESPACES
+static pid_t umh_kernel_thread_in_ns(struct subprocess_info *sub_info)
+{
+	return -ENOTSUP;
+}
+#else
+static pid_t umh_kernel_thread_in_ns(struct subprocess_info *sub_info)
+{
+	struct umh_ns_info *info = &sub_info->nsinfo;
+	struct nsproxy *saved_nsp, *new_nsp;
+	struct user_namespace *user_ns;
+	struct pid_namespace *pid_ns;
+	struct mnt_namespace *mnt_ns;
+	pid_t pid;
+	int err;
+
+	saved_nsp = current->nsproxy;
+	get_nsproxy(saved_nsp);
+
+	new_nsp = info->nsproxy;
+	get_nsproxy(new_nsp);
+
+	user_ns = get_user_ns(current->cred->user_ns);
+	if (info->user_ns) {
+		err = user_ns->ns.ops->install(new_nsp, &info->user_ns->ns);
+		if (err)
+			goto out;
+	}
+
+	/* May need to wait4() completion so a pid valid in the
+	 * thread runners namespace is needed. Install current
+	 * pid ns in the nsproxy.
+	 */
+	pid_ns = current->nsproxy->pid_ns_for_children;
+	if (pid_ns) {
+		err = pid_ns->ns.ops->install(new_nsp, &pid_ns->ns);
+		if (err)
+			goto out_user_ns;
+	}
+
+	/* The mount namespace install function is a little
+	 * more than a no-op, as the install functions of the
+	 * other namespace types are in our case, we need to
+	 * call it to setup current fs root and pwd.
+	 */
+	mnt_ns = current->nsproxy->mnt_ns;
+	err = mnt_ns->ns.ops->install(new_nsp, &new_nsp->mnt_ns->ns);
+	if (err)
+		goto out_user_ns;
 
+	/* Finally, switch to the nsproxy of the init namespace
+	 * of the caller.
+	 */
+	switch_task_namespaces(current, new_nsp);
+
+	pid = umh_kernel_thread(sub_info);
+
+	mnt_ns->ns.ops->install(saved_nsp, &saved_nsp->mnt_ns->ns);
+
+	if (info->user_ns)
+		user_ns->ns.ops->install(saved_nsp, &user_ns->ns);
+
+	switch_task_namespaces(current, saved_nsp);
+
+	put_user_ns(user_ns);
+
+	return pid;
+
+out_user_ns:
+	if (info->user_ns)
+		user_ns->ns.ops->install(saved_nsp, &user_ns->ns);
+out:
+	put_user_ns(user_ns);
+	put_nsproxy(new_nsp);
+	put_nsproxy(saved_nsp);
+	return err;
+}
+#endif
+
+/* This is run by khelper thread  */
+static void __call_usermodehelper(struct work_struct *work)
+{
+	struct subprocess_info *sub_info =
+		container_of(work, struct subprocess_info, work);
+	pid_t pid;
+
+	if (sub_info->flags & UMH_USE_NS)
+		pid = umh_kernel_thread_in_ns(sub_info);
+	else
+		pid = umh_kernel_thread(sub_info);
 	if (pid < 0) {
 		sub_info->retval = pid;
 		umh_complete(sub_info);