From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corey Minyard Subject: Re: [PATCH] Move console redirect to pid namespace Date: Thu, 14 Feb 2013 20:08:16 -0600 Message-ID: <511D9890.1040900@acm.org> References: <1360376920-30824-1-git-send-email-minyard@acm.org> <20130209191409.643c3d7f@neptune.home> <87r4kkuj4o.fsf@xmission.com> Reply-To: minyard-HInyCGIudOg@public.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <87r4kkuj4o.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: Corey Minyard , =?UTF-8?B?QnJ1bm8gUHLDqW1vbnQ=?= , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Linux Kernel List-Id: containers.vger.kernel.org T24gMDIvMTMvMjAxMyAwMTowOCBQTSwgRXJpYyBXLiBCaWVkZXJtYW4gd3JvdGU6Cj4gQnJ1bm8g UHLDqW1vbnQgPGJvbmJvbnNAbGludXgtdnNlcnZlci5vcmc+IHdyaXRlczoKPgo+PiBDQ2luZyBj b250YWluZXJzIGxpc3QKPj4KPj4gT24gRnJpLCAwOCBGZWJydWFyeSAyMDEzIG1pbnlhcmRAYWNt Lm9yZyB3cm90ZToKPj4+IEZyb206IENvcmV5IE1pbnlhcmQgPGNtaW55YXJkQG12aXN0YS5jb20+ Cj4+Pgo+Pj4gVGhlIGNvbnNvbGUgcmVkaXJlY3QgLSBpb2N0bChmZCwgVElPQ0NPTlMpIC0gaXMg bm90IGluIGEgbmFtZXNwYWNlLAo+Pj4gdGh1cyBhIGNvbnRhaW5lciBjYW4gZG8gYSByZWRpcmVj dCBhbmQgZ3JhYiBhbGwgdGhlIEkvTyBvbiB0aGUgaG9zdAo+Pj4gYW5kIGFsbCBjb250YWluZXIg Y29uc29sZXMuCj4+Pgo+Pj4gVGhpcyBjaGFuZ2UgcHV0cyB0aGUgcmVkaXJlY3QgaW4gdGhlIHBp ZCBuYW1lc3BhY2UuCj4+Pgo+Pj4gU2lnbmVkLW9mZi1ieTogQ29yZXkgTWlueWFyZCA8Y21pbnlh cmRAbXZpc3RhLmNvbT4KPj4+IC0tLQo+Pj4KPj4+IEknbSBwcmV0dHkgc3VyZSB0aGlzIHBhdGNo IGlzIG5vdCBjb3JyZWN0LCBidXQgSSdtIG5vdCBxdWl0ZSBzdXJlIHRoZQo+Pj4gYmVzdCB3YXkg dG8gZml4IHRoaXMuICBJJ20gbm90IDEwMCUgc3VyZSB0aGF0IHRoZSBwaWQgbmFtZXNwYWNlIGlz IHRoZQo+Pj4gcmlnaHQgcGxhY2UsIGJ1dCBpdCBzZWVtZWQgdGhlIG1vc3QgcmVhc29uYWJsZSBv ZiBhbGwgdGhlIGNob2ljZXMuICBUaGUKPj4+IG90aGVyIG9idmlvdXMgY2hvaWNlIGlzIHRoZSBt b3VudCBuYW1lc3BhY2UsIGJ1dCBpdCBkaWRuJ3Qgc2VlbSBhcyBnb29kCj4+PiBhIGZpdC4KPj4g V2l0aCByZWNlbnQgY2hhbmdlcywgdHlpbmcgaXQgdG8gaW5pdCB1c2VyIG5hbWVzcGFjZSBtaWdo dCBldmVuIGJlCj4+IGJldHRlci4KPiBXaXRoIHJlY2VudCBjaGFuZ2VzIHRoaXMgaXMgdGllZCB0 byB0aGUgaW5pdGlhbCB1c2VyIG5hbWVzcGFjZS4gIFNvIHRoZQo+IHNpbXBsZSBzb2x1dGlvbiB0 byB0aGlzIGFuZCBzbyBtYW55IG90aGVyIHNpbWlsaWFyIHNlY3VyaXR5IHByb2JsZW1zIGlzCj4g dG8gcnVuIHlvdXIgY29udGFpbmVyIGluIGEgdXNlciBuYW1lc3BhY2UuCj4KPiBUaGUgcGVybWlz c2lvbiBjaGVjayBjdXJyZW50bHkgaXMgY2FwYWJsZShDQVBfU1lTX0FETUlOKSB3aGljaCByZXF1 aXJlcwo+IHRoZSBjYWxsZXIgdG8gaGF2ZSB0aGUgQ0FQX1NZU19BRE1JTiBpbiB0aGUgaW5pdGlh bCB1c2VyIG5hbWVzcGFjZS4KCkknbSBub3Qgc3VyZSBJIGZvbGxvdy4gIEFyZSB0aGVzZSBjaGFu Z2VzIGluIGsub3JnLCBvciBpbiBhbm90aGVyIApyZXBvc2l0b3J5IHNvbWVwbGFjZT8KCj4KPiBJ cyB0aGVyZSBhIGRlc2lyZSB0byBoYXZlIFRJT0NDT05TIG5vdCBqdXN0IGZhaWwgaW4gYSBjb250 YWluZXIgYnV0IHRvCj4gaGF2ZSBUSU9DQ09OUyB3b3JrIGluIGEgY29udGFpbmVyIHNwZWNpZmlj IHdheT8KCldlbGwsIG15IGRlc2lyZSBpcyBmb3IgdGhlIGhvc3QgY29uc29sZSB0byB3b3JrIHBy b3Blcmx5IGlmIGEgY29udGFpbmVyIAp1c2VzIFRJT0NDT05TIDotKS4gIEl0IHNlZW1zIHRvIG1l IHRoYXQgdGhlIG1vc3QgY29uc2lzdGVudCB3YXkgdG8gCmhhbmRsZSB0aGlzIGlzIHRvIGhhdmUg VElPQ0NPTlMgaW4gYSBjb250YWluZXIgcmVkaXJlY3QgdGhlIGNvbnRhaW5lcidzIApjb25zb2xl LgoKPgo+Pj4gVGhlIG90aGVyIHByb2JsZW0gaXMgdGhhdCBJIGRvbid0IHRoaW5rIHlvdSBjYW4g Y2FsbCBmcHV0KCkgZnJvbQo+Pj4gZGVzdHJveV9waWRfbmFtZXNwYWNlKCkuICBUaGF0IGNhbiBi ZSBjYWxsZWQgZnJvbSBpbnRlcnJ1cHQgY29udGV4dCwKPj4+IGFuZCBJIGRvbid0IHRoaW5rIGZw dXQoKSBpcyBzYWZlIHRoZXJlLiAgSSBrbm93IGl0J3Mgbm90IHNhZmUgaW4gMy40Cj4+PiB3aXRo IHRoZSBSVCBwYXRjaCBhcHBsaWVkLiAgSG93ZXZlciwgdGhlIG9ubHkgd2F5IEkndmUgY29tZSB1 cCB3aXRoIHRvCj4+PiBmaXggaXQgaXMgdG8gYWRkIGEgd29ya3F1ZXVlLCBhbmQgdGhhdCBzZWVt cyBhIGJpdCBoZWF2eSBmb3IgdGhpcy4KPiBBY3R1YWxseSBnZXR0aW5nIGRlc3Ryb3lfcGlkX25h bWVzcGFjZSBvdXQgb2YgaW50ZXJydXB0IGNvbnRleHQgd291bGRuJ3QKPiBiZSB0aGUgd29yc3Qg dGhpbmcgaW4gdGhlIHdvcmxkLgoKSSB3b3VsZCBhZ3JlZSwgYnV0IGl0IHdvdWxkIHN0aWxsIHJl cXVpcmUgc29tZXRoaW5nIGxpa2UgYSB3b3JrcXVldWUuICAKSXMgdGhlcmUgYSBiZXR0ZXIgbWVj aGFuaXNtPwoKLWNvcmV5Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGludXgtZm91 bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlz dGluZm8vY29udGFpbmVycw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932518Ab3BOCIR (ORCPT ); Thu, 14 Feb 2013 21:08:17 -0500 Received: from mail-oa0-f46.google.com ([209.85.219.46]:57615 "EHLO mail-oa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755302Ab3BOCIQ (ORCPT ); Thu, 14 Feb 2013 21:08:16 -0500 Message-ID: <511D9890.1040900@acm.org> Date: Thu, 14 Feb 2013 20:08:16 -0600 From: Corey Minyard Reply-To: minyard@acm.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1 MIME-Version: 1.0 To: "Eric W. Biederman" CC: =?UTF-8?B?QnJ1bm8gUHLDqW1vbnQ=?= , Corey Minyard , containers@lists.linux-foundation.org, Linux Kernel Subject: Re: [PATCH] Move console redirect to pid namespace References: <1360376920-30824-1-git-send-email-minyard@acm.org> <20130209191409.643c3d7f@neptune.home> <87r4kkuj4o.fsf@xmission.com> In-Reply-To: <87r4kkuj4o.fsf@xmission.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/13/2013 01:08 PM, Eric W. Biederman wrote: > Bruno Prémont writes: > >> CCing containers list >> >> On Fri, 08 February 2013 minyard@acm.org wrote: >>> From: Corey Minyard >>> >>> The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace, >>> thus a container can do a redirect and grab all the I/O on the host >>> and all container consoles. >>> >>> This change puts the redirect in the pid namespace. >>> >>> Signed-off-by: Corey Minyard >>> --- >>> >>> I'm pretty sure this patch is not correct, but I'm not quite sure the >>> best way to fix this. I'm not 100% sure that the pid namespace is the >>> right place, but it seemed the most reasonable of all the choices. The >>> other obvious choice is the mount namespace, but it didn't seem as good >>> a fit. >> With recent changes, tying it to init user namespace might even be >> better. > With recent changes this is tied to the initial user namespace. So the > simple solution to this and so many other similiar security problems is > to run your container in a user namespace. > > The permission check currently is capable(CAP_SYS_ADMIN) which requires > the caller to have the CAP_SYS_ADMIN in the initial user namespace. I'm not sure I follow. Are these changes in k.org, or in another repository someplace? > > Is there a desire to have TIOCCONS not just fail in a container but to > have TIOCCONS work in a container specific way? Well, my desire is for the host console to work properly if a container uses TIOCCONS :-). It seems to me that the most consistent way to handle this is to have TIOCCONS in a container redirect the container's console. > >>> The other problem is that I don't think you can call fput() from >>> destroy_pid_namespace(). That can be called from interrupt context, >>> and I don't think fput() is safe there. I know it's not safe in 3.4 >>> with the RT patch applied. However, the only way I've come up with to >>> fix it is to add a workqueue, and that seems a bit heavy for this. > Actually getting destroy_pid_namespace out of interrupt context wouldn't > be the worst thing in the world. I would agree, but it would still require something like a workqueue. Is there a better mechanism? -corey