Re: [PATCH -mm 7/8] user_ns: handle file sigio

[Cedric Le Goater <clg@fr.ibm.com>]

Serge E. Hallyn wrote:
> Quoting Andrew Morton (akpm@osdl.org):
>> On Thu, 4 Jan 2007 12:12:57 -0600
>> "Serge E. Hallyn" <serue@us.ibm.com> wrote:
>>
>>> A process in one user namespace could set a fowner and sigio on a file in a
>>> shared vfsmount, ending up killing a task in another user namespace.
>>>
>>> Prevent this by adding a user namespace pointer to the fown_struct, and
>>> enforcing that a process causing a signal to be sent be in the same
>>> user namespace as the file owner.
>> This patch breaks the X server (stock FC5 install) with CONFIG_USER_NS=n.
>> Neither the USB mouse nor the trackpad work.  They work OK under GPM.
>>
>> Setting CONFIG_USER_NS=y "fixes" this.  This bug was not observed in
>> 2.6.20-rc3-mm1 because that kernel had user-ns-always-on.patch for other
>> reasons.  (I'll restore that patch).
>>
>> There's nothing very interesting here:
>
[ ... ]
> 
> I can't see any reason for this in the code or comparative ltp runs.
> Cedric is testing on a fc6 laptop, hopefully he can reproduce it.

I did reproduce it on a FC5 desktop finally. 

get_user_ns() returns NULL when CONFIG_USER_NS=n and this breaks  
sigio_perm() which does not expect NULL values for ->user_ns.

I would fix this with the following patch.

C.


Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>

---
 include/linux/user_namespace.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: 2.6.20-rc4-mm1/include/linux/user_namespace.h
===================================================================
--- 2.6.20-rc4-mm1.orig/include/linux/user_namespace.h
+++ 2.6.20-rc4-mm1/include/linux/user_namespace.h
@@ -49,7 +49,7 @@

 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 {
-	return NULL;
+	return &init_user_ns;
 }

 static inline int unshare_user_ns(unsigned long flags,