* [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns
@ 2008-11-02 0:00 Daniel Lezcano
[not found] ` <54333.2001:16d8:ff15:101:219:d2ff:fed5:8193.1225584965.squirrel@intranet>
[not found] ` <490CEDA0.6020800-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
0 siblings, 2 replies; 8+ messages in thread
From: Daniel Lezcano @ 2008-11-02 0:00 UTC (permalink / raw)
To: Linux Containers
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: do-not-shutdown-when-not-init-pid-ns.patch --]
[-- Type: text/x-diff, Size: 1384 bytes --]
Subject: disable sys_reboot when not in init_pid_ns
From: Daniel Lezcano <dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
This simple patch avoid to shutdown the host within a container. Without this
patch a call to the 'halt' inside a container will switch to the right runlevel
but finishing with 'shutdown -f' in the last init script with the effect of
shutting down the real host.
This patch has been tested with the lxc tools and a debian minimal container.
The 'init' process running inside the container does correctly call the
different shutdown services and the container exits gracefully.
I didn't try with the 'init' from the upstart package. It uses an abstract
unix socket, that means this patch should work if the container is network
isolated too.
Signed-off-by: Daniel Lezcano <dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
---
kernel/sys.c | 3 +++
1 file changed, 3 insertions(+)
Index: net-next-2.6/kernel/sys.c
===================================================================
--- net-next-2.6.orig/kernel/sys.c
+++ net-next-2.6/kernel/sys.c
@@ -355,6 +355,9 @@ asmlinkage long sys_reboot(int magic1, i
if (!capable(CAP_SYS_BOOT))
return -EPERM;
+ if (current->nsproxy->pid_ns != &init_pid_ns)
+ return 0;
+
/* For safety, we require "magic" arguments. */
if (magic1 != LINUX_REBOOT_MAGIC1 ||
(magic2 != LINUX_REBOOT_MAGIC2 &&
[-- Attachment #3: Type: text/plain, Size: 206 bytes --]
_______________________________________________
Containers mailing list
Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
https://lists.linux-foundation.org/mailman/listinfo/containers
^ permalink raw reply [flat|nested] 8+ messages in thread[parent not found: <54333.2001:16d8:ff15:101:219:d2ff:fed5:8193.1225584965.squirrel@intranet>]
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <54333.2001:16d8:ff15:101:219:d2ff:fed5:8193.1225584965.squirrel@intranet> @ 2008-11-02 23:04 ` Serge E. Hallyn 2008-11-04 20:40 ` Daniel Lezcano 1 sibling, 0 replies; 8+ messages in thread From: Serge E. Hallyn @ 2008-11-02 23:04 UTC (permalink / raw) To: Daniel Hokka Zakrisson; +Cc: Linux Containers, Daniel Lezcano Quoting Daniel Hokka Zakrisson (daniel-nym3zxDgnZcAvxtiuMwx3w@public.gmane.org): > Daniel Lezcano wrote: > > > > Wouldn't it be better to simply remove CAP_SYS_BOOT from containers > until sys_reboot emits some signal to userspace to restart/halt the > container? (This is what we do in Linux-VServer.) > > -- > Daniel Hokka Zakrisson Yeah that makes more sense to me. Note that otherwise your patch still lets the container mess with sys_kexec_load(), for instance. -serge ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <54333.2001:16d8:ff15:101:219:d2ff:fed5:8193.1225584965.squirrel@intranet> 2008-11-02 23:04 ` Serge E. Hallyn @ 2008-11-04 20:40 ` Daniel Lezcano [not found] ` <4910B34B.7070901-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> 1 sibling, 1 reply; 8+ messages in thread From: Daniel Lezcano @ 2008-11-04 20:40 UTC (permalink / raw) To: Daniel Hokka Zakrisson; +Cc: Linux Containers Daniel Hokka Zakrisson wrote: > Daniel Lezcano wrote: > > Wouldn't it be better to simply remove CAP_SYS_BOOT from containers > until sys_reboot emits some signal to userspace to restart/halt the > container? (This is what we do in Linux-VServer.) Ok, I will try, thanks. BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to himself and being able to shutdown the host ? I guess I should remove CAP_SETPCAP too, no ? ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <4910B34B.7070901-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>]
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <4910B34B.7070901-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> @ 2008-11-04 21:01 ` Serge E. Hallyn [not found] ` <20081104210134.GA6238-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Serge E. Hallyn @ 2008-11-04 21:01 UTC (permalink / raw) To: Daniel Lezcano; +Cc: Linux Containers Quoting Daniel Lezcano (dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org): > Daniel Hokka Zakrisson wrote: > > Daniel Lezcano wrote: > > > > Wouldn't it be better to simply remove CAP_SYS_BOOT from containers > > until sys_reboot emits some signal to userspace to restart/halt the > > container? (This is what we do in Linux-VServer.) > > Ok, I will try, thanks. > > BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to > himself and being able to shutdown the host ? I guess I should remove > CAP_SETPCAP too, no ? No, remove it from your bounding set. You can never add bits back to that set. prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT); -serge ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20081104210134.GA6238-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>]
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <20081104210134.GA6238-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> @ 2008-11-04 21:39 ` Daniel Lezcano 2008-11-04 22:14 ` Daniel Lezcano 1 sibling, 0 replies; 8+ messages in thread From: Daniel Lezcano @ 2008-11-04 21:39 UTC (permalink / raw) To: Serge E. Hallyn; +Cc: Linux Containers Serge E. Hallyn wrote: > Quoting Daniel Lezcano (dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org): >> Daniel Hokka Zakrisson wrote: >>> Daniel Lezcano wrote: >>> >>> Wouldn't it be better to simply remove CAP_SYS_BOOT from containers >>> until sys_reboot emits some signal to userspace to restart/halt the >>> container? (This is what we do in Linux-VServer.) >> Ok, I will try, thanks. >> >> BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to >> himself and being able to shutdown the host ? I guess I should remove >> CAP_SETPCAP too, no ? > > No, remove it from your bounding set. You can never add bits back to > that set. prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT); Excellent, I will try that. Thanks guys. -- Daniel ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <20081104210134.GA6238-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> 2008-11-04 21:39 ` Daniel Lezcano @ 2008-11-04 22:14 ` Daniel Lezcano 1 sibling, 0 replies; 8+ messages in thread From: Daniel Lezcano @ 2008-11-04 22:14 UTC (permalink / raw) To: Serge E. Hallyn; +Cc: Linux Containers Serge E. Hallyn wrote: > Quoting Daniel Lezcano (dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org): >> Daniel Hokka Zakrisson wrote: >>> Daniel Lezcano wrote: >>> >>> Wouldn't it be better to simply remove CAP_SYS_BOOT from containers >>> until sys_reboot emits some signal to userspace to restart/halt the >>> container? (This is what we do in Linux-VServer.) >> Ok, I will try, thanks. >> >> BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to >> himself and being able to shutdown the host ? I guess I should remove >> CAP_SETPCAP too, no ? > > No, remove it from your bounding set. You can never add bits back to > that set. prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT); Tested with lxc and debian minimal, I can halt/shutdown the container from inside. Cool ! Thanks. -- Daniel ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <490CEDA0.6020800-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>]
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <490CEDA0.6020800-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> @ 2008-11-02 0:16 ` Daniel Hokka Zakrisson 2008-11-03 18:59 ` Dave Hansen 1 sibling, 0 replies; 8+ messages in thread From: Daniel Hokka Zakrisson @ 2008-11-02 0:16 UTC (permalink / raw) To: Daniel Lezcano; +Cc: Linux Containers Daniel Lezcano wrote: > Wouldn't it be better to simply remove CAP_SYS_BOOT from containers until sys_reboot emits some signal to userspace to restart/halt the container? (This is what we do in Linux-VServer.) -- Daniel Hokka Zakrisson ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns [not found] ` <490CEDA0.6020800-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org> 2008-11-02 0:16 ` Daniel Hokka Zakrisson @ 2008-11-03 18:59 ` Dave Hansen 1 sibling, 0 replies; 8+ messages in thread From: Dave Hansen @ 2008-11-03 18:59 UTC (permalink / raw) To: Daniel Lezcano; +Cc: Linux Containers On Sun, 2008-11-02 at 01:00 +0100, Daniel Lezcano wrote: > +++ net-next-2.6/kernel/sys.c > @@ -355,6 +355,9 @@ asmlinkage long sys_reboot(int magic1, i > if (!capable(CAP_SYS_BOOT)) > return -EPERM; > > + if (current->nsproxy->pid_ns != &init_pid_ns) > + return 0; > + > /* For safety, we require "magic" arguments. */ > if (magic1 != LINUX_REBOOT_MAGIC1 || > (magic2 != LINUX_REBOOT_MAGIC2 && One problem I have with this is that it specifically defines being "in a container" as being in a pid_ns other than the init_pid_ns. If we're going to go down this road, it should be at *least*: int in_a_container(void) { return current->nsproxy->pid_ns != &init_pid_ns; } But, this also sucks because we don't want to be introducing new code paths all over the kernel for the "container" case. What we'll end up with little craplets like this spread all over: if (in_a_container()) { /* don't ever test this code path */ } :) So I think we should avoid what you're trying to do here like the plague. -- Dave ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-11-04 22:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-02 0:00 [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns Daniel Lezcano
[not found] ` <54333.2001:16d8:ff15:101:219:d2ff:fed5:8193.1225584965.squirrel@intranet>
2008-11-02 23:04 ` Serge E. Hallyn
2008-11-04 20:40 ` Daniel Lezcano
[not found] ` <4910B34B.7070901-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-11-04 21:01 ` Serge E. Hallyn
[not found] ` <20081104210134.GA6238-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-11-04 21:39 ` Daniel Lezcano
2008-11-04 22:14 ` Daniel Lezcano
[not found] ` <490CEDA0.6020800-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-11-02 0:16 ` Daniel Hokka Zakrisson
2008-11-03 18:59 ` Dave Hansen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.