From: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>, Rik van Riel <riel@redhat.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>,
Hari Bathini <hbathini@linux.vnet.ibm.com>,
Peter Zijlstra <peterz@infradead.org>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next] fork.c: Move check of clone NEWIPC and SYSVSEM to copy_process
Date: Wed, 29 Nov 2017 22:33:43 -0200 [thread overview]
Message-ID: <20171130003341.GA14339@marcos-builder> (raw)
In-Reply-To: <20171130100406.qnn2zofbfaviorgs@dhcp22.suse.cz>
On Thu, Nov 30, 2017 at 11:04:06AM +0100, Michal Hocko wrote:
> CC Eric
>
> On Sun 26-11-17 14:06:52, Marcos Paulo de Souza wrote:
> > Currently this check for CLONE_NEWIPC with CLONE_SYSVSEM is done inside
> > copy_namespaces, resulting in a handful of error paths being executed if
> > these flags were used together. So, move this check to the beginning of
> > copy_process, exiting earlier if the condition is true.
> >
> > This move is safe because copy_namespaces is called just from
> > copy_process function.
This change is introduced right below the point where clone_flags is already
checking for inconsistencies in namespace flags[1], and returns EINVAL when
conflicting flags are informed together.
In this case, it's easier to return early when conflicting flags are informed at
the beginning, so moving a namespace check to where namespaces are already being
sanitized makes sense. If the code stays where it is now, and a user calls clone
syscalls informing CLONE_NEWIPC | CLONE_SYSVSEM, the code will need to undo a
lot of work before returning the same EINVAL[2].
[1] https://elixir.free-electrons.com/linux/latest/source/kernel/fork.c#L1552
[2] https://elixir.free-electrons.com/linux/latest/source/kernel/fork.c#L1953
>
> I am not familiar with the code all that much but the justification is
> not clear to me. Thesea re namespace related flags so why should we pull
> them out of copy_namespaces. I do not see any simplifications in the
> error code paths or something like that.
>
> > Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
> > ---
> > kernel/fork.c | 11 +++++++++++
> > kernel/nsproxy.c | 11 -----------
> > 2 files changed, 11 insertions(+), 11 deletions(-)
> >
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index 2113e252cb9d..691f9ba135fc 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -1600,6 +1600,17 @@ static __latent_entropy struct task_struct *copy_process(
> > return ERR_PTR(-EINVAL);
> >
> > /*
> > + * CLONE_NEWIPC must detach from the undolist: after switching
> > + * to a new ipc namespace, the semaphore arrays from the old
> > + * namespace are unreachable. In clone parlance, CLONE_SYSVSEM
> > + * means share undolist with parent, so we must forbid using
> > + * it along with CLONE_NEWIPC.
> > + */
> > + if ((clone_flags & (CLONE_NEWIPC | CLONE_SYSVSEM)) ==
> > + (CLONE_NEWIPC | CLONE_SYSVSEM))
> > + return ERR_PTR(-EINVAL);
> > +
> > + /*
> > * Thread groups must share signals as well, and detached threads
> > * can only be started up within the thread group.
> > */
> > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> > index f6c5d330059a..30882727dff5 100644
> > --- a/kernel/nsproxy.c
> > +++ b/kernel/nsproxy.c
> > @@ -151,17 +151,6 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
> > if (!ns_capable(user_ns, CAP_SYS_ADMIN))
> > return -EPERM;
> >
> > - /*
> > - * CLONE_NEWIPC must detach from the undolist: after switching
> > - * to a new ipc namespace, the semaphore arrays from the old
> > - * namespace are unreachable. In clone parlance, CLONE_SYSVSEM
> > - * means share undolist with parent, so we must forbid using
> > - * it along with CLONE_NEWIPC.
> > - */
> > - if ((flags & (CLONE_NEWIPC | CLONE_SYSVSEM)) ==
> > - (CLONE_NEWIPC | CLONE_SYSVSEM))
> > - return -EINVAL;
> > -
> > new_ns = create_new_namespaces(flags, tsk, user_ns, tsk->fs);
> > if (IS_ERR(new_ns))
> > return PTR_ERR(new_ns);
> > --
> > 2.13.6
> >
>
> --
> Michal Hocko
> SUSE Labs
--
Thanks,
Marcos
next prev parent reply other threads:[~2017-11-30 15:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-26 16:06 [PATCH -next] fork.c: Move check of clone NEWIPC and SYSVSEM to copy_process Marcos Paulo de Souza
2017-11-30 10:04 ` Michal Hocko
2017-11-30 0:33 ` Marcos Paulo de Souza [this message]
2017-12-01 8:19 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171130003341.GA14339@marcos-builder \
--to=marcos.souza.org@gmail.com \
--cc=acme@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hbathini@linux.vnet.ibm.com \
--cc=jolsa@kernel.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.