From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: [PATCH 11/11] pidns: Support unsharing the pid namespace.
Date: Thu, 20 Dec 2012 17:43:04 -0800 [thread overview]
Message-ID: <871uektc2f.fsf@xmission.com> (raw)
In-Reply-To: <20121219181400.GA22991-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> (Oleg Nesterov's message of "Wed, 19 Dec 2012 19:14:00 +0100")
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
> Hi Eric,
>
> oleg-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org no longer works, so I just noticed these emails.
Darn and instead of bouncing the emails just go into a black hole :(
I have updated my address book to point to oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org so
hopefully I don't make that mistake again.
> On 11/16, Eric W. Biederman wrote:
>>
>> Unsharing of the pid namespace unlike unsharing of other namespaces
>> does not take affect immediately. Instead it affects the children
>> created with fork and clone.
>
> I'll try to read this series later, but I am not sure I will ever
> understand the code with these patches ;)
Hopefully the code doesn't cause you too many problems.
> So alloc_pid() becomes the only user nsproxy->pid_ns and it is not
> necessarily equal to task_active_pid_ns(). It seems to me that this
> adds a lot of new corner cases.
I have tried to simply outlaw the most of the new corner cases as they
simply are not interesting so there is no point implementing them,
or thinking about them once they are outlawed.
> Unless I missed something, at least we should not allow CLONE_THREAD
> if active_pid_ns != nsproxy->pid_ns. If nothing else, copy_process()
> initializes ->child_reaper only if thread_group_leader(child). And
> ->child_reaper == NULL can obviously lead to crash.
Hmm. Let me think that through as you may have a point.
In copy_pid_ns I fail if task_active_pid_ns != nsproxy->pid_ns, and in
unshare CLONE_NEW_PID implies "CLONE_THREAD|CLONE_VM|CLONE_SIGHAND". So
I avoid most of those cases already.
You are asking about clone(CLONE_THREAD) after unshare(CLONE_NEWPID). I
totally failed to realize that case existed. Oleg thank you for
pointing it out.
Below is my preliminary patch for ruling those things out. I have added
CLONE_PARENT to the forbidden set because that seems about as bad
as CLONE_SIGHAND or CLONE_THREAD.
I will cook up a proper patch and get it merged shortly.
Eric
diff --git a/kernel/fork.c b/kernel/fork.c
index c36c4e3..340a25c 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1166,6 +1166,14 @@ static struct task_struct *copy_process(unsigned long clone_flags,
current->signal->flags & SIGNAL_UNKILLABLE)
return ERR_PTR(-EINVAL);
+ /*
+ * If the children will be in a different pid namespace don't allow
+ * the creation of threads.
+ */
+ if ((clone_flags & (CLONE_THREAD|CLONE_SIGHAND|CLONE_VM|CLONE_PARENT)) &&
+ task_active_pid_ns(current) != current->nsproxy->pid_ns)
+ return ERR_PTR(-EINVAL);
+
retval = security_task_create(clone_flags);
if (retval)
goto fork_out;
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Oleg Nesterov <oleg@redhat.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
linux-kernel@vger.kernel.org, Serge Hallyn <serge@hallyn.com>,
Gao feng <gaofeng@cn.fujitsu.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 11/11] pidns: Support unsharing the pid namespace.
Date: Thu, 20 Dec 2012 17:43:04 -0800 [thread overview]
Message-ID: <871uektc2f.fsf@xmission.com> (raw)
In-Reply-To: <20121219181400.GA22991@redhat.com> (Oleg Nesterov's message of "Wed, 19 Dec 2012 19:14:00 +0100")
Oleg Nesterov <oleg@redhat.com> writes:
> Hi Eric,
>
> oleg@tv-sign.ru no longer works, so I just noticed these emails.
Darn and instead of bouncing the emails just go into a black hole :(
I have updated my address book to point to oleg@redhat.com so
hopefully I don't make that mistake again.
> On 11/16, Eric W. Biederman wrote:
>>
>> Unsharing of the pid namespace unlike unsharing of other namespaces
>> does not take affect immediately. Instead it affects the children
>> created with fork and clone.
>
> I'll try to read this series later, but I am not sure I will ever
> understand the code with these patches ;)
Hopefully the code doesn't cause you too many problems.
> So alloc_pid() becomes the only user nsproxy->pid_ns and it is not
> necessarily equal to task_active_pid_ns(). It seems to me that this
> adds a lot of new corner cases.
I have tried to simply outlaw the most of the new corner cases as they
simply are not interesting so there is no point implementing them,
or thinking about them once they are outlawed.
> Unless I missed something, at least we should not allow CLONE_THREAD
> if active_pid_ns != nsproxy->pid_ns. If nothing else, copy_process()
> initializes ->child_reaper only if thread_group_leader(child). And
> ->child_reaper == NULL can obviously lead to crash.
Hmm. Let me think that through as you may have a point.
In copy_pid_ns I fail if task_active_pid_ns != nsproxy->pid_ns, and in
unshare CLONE_NEW_PID implies "CLONE_THREAD|CLONE_VM|CLONE_SIGHAND". So
I avoid most of those cases already.
You are asking about clone(CLONE_THREAD) after unshare(CLONE_NEWPID). I
totally failed to realize that case existed. Oleg thank you for
pointing it out.
Below is my preliminary patch for ruling those things out. I have added
CLONE_PARENT to the forbidden set because that seems about as bad
as CLONE_SIGHAND or CLONE_THREAD.
I will cook up a proper patch and get it merged shortly.
Eric
diff --git a/kernel/fork.c b/kernel/fork.c
index c36c4e3..340a25c 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1166,6 +1166,14 @@ static struct task_struct *copy_process(unsigned long clone_flags,
current->signal->flags & SIGNAL_UNKILLABLE)
return ERR_PTR(-EINVAL);
+ /*
+ * If the children will be in a different pid namespace don't allow
+ * the creation of threads.
+ */
+ if ((clone_flags & (CLONE_THREAD|CLONE_SIGHAND|CLONE_VM|CLONE_PARENT)) &&
+ task_active_pid_ns(current) != current->nsproxy->pid_ns)
+ return ERR_PTR(-EINVAL);
+
retval = security_task_create(clone_flags);
if (retval)
goto fork_out;
next prev parent reply other threads:[~2012-12-21 1:43 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-16 16:32 [REVIEW][PATCH 0/11] pid namespace cleanups and enhancements Eric W. Biederman
2012-11-16 16:32 ` Eric W. Biederman
[not found] ` <8739097bkk.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-16 16:35 ` [PATCH 01/11] procfs: Use the proc generic infrastructure for proc/self Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
2012-11-16 16:35 ` [PATCH 07/11] pidns: Wait in zap_pid_ns_processes until pid_ns->nr_hashed == 1 Eric W. Biederman
[not found] ` <1353083750-3621-7-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:24 ` Gao feng
2012-11-21 2:24 ` Gao feng
2012-12-19 18:47 ` Oleg Nesterov
2012-12-19 18:47 ` Oleg Nesterov
[not found] ` <20121219184757.GB22991-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 1:19 ` Eric W. Biederman
2012-12-21 1:19 ` Eric W. Biederman
[not found] ` <87bodourqt.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-21 14:11 ` Oleg Nesterov
2012-12-21 14:11 ` Oleg Nesterov
[not found] ` <20121221141133.GA13805-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 15:02 ` Oleg Nesterov
2012-12-21 15:02 ` Oleg Nesterov
[not found] ` <20121221150238.GA16003-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 15:31 ` Oleg Nesterov
2012-12-21 15:31 ` Oleg Nesterov
[not found] ` <20121221153152.GA17250-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 18:42 ` Eric W. Biederman
2012-12-21 18:42 ` Eric W. Biederman
2012-12-21 18:33 ` Eric W. Biederman
2012-12-21 18:33 ` Eric W. Biederman
[not found] ` <1353083750-3621-1-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-16 16:35 ` [PATCH 02/11] procfs: Don't cache a pid in the root inode Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-2-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 1:07 ` Gao feng
2012-11-21 1:07 ` Gao feng
2012-11-16 16:35 ` [PATCH 03/11] pidns: Capture the user namespace and filter ns_last_pid Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-3-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 1:26 ` Gao feng
2012-11-21 1:26 ` Gao feng
2012-11-16 16:35 ` [PATCH 04/11] pidns: Use task_active_pid_ns where appropriate Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-4-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:02 ` Gao feng
2012-11-21 2:02 ` Gao feng
2012-11-16 16:35 ` [PATCH 05/11] pidns: Make the pidns proc mount/umount logic obvious Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-5-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 11:02 ` Gao feng
2012-11-19 11:02 ` Gao feng
2012-11-16 16:35 ` [PATCH 06/11] pidns: Don't allow new processes in a dead pid namespace Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-6-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:17 ` Gao feng
2012-11-21 2:17 ` Gao feng
2012-11-16 16:35 ` [PATCH 07/11] pidns: Wait in zap_pid_ns_processes until pid_ns->nr_hashed == 1 Eric W. Biederman
2012-11-16 16:35 ` [PATCH 08/11] pidns: Deny strange cases when creating pid namespaces Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-8-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:25 ` Gao feng
2012-11-21 2:25 ` Gao feng
2012-11-16 16:35 ` [PATCH 09/11] pidns: Add setns support Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-9-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 9:11 ` Gao feng
2012-11-19 9:11 ` Gao feng
[not found] ` <50A9F7DE.60807-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2012-11-19 9:27 ` Eric W. Biederman
2012-11-19 9:27 ` Eric W. Biederman
2012-11-21 2:36 ` Gao feng
2012-11-21 2:36 ` Gao feng
2012-11-16 16:35 ` [PATCH 10/11] pidns: Consolidate initialzation of special init task state Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-10-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:56 ` Gao feng
2012-11-21 2:56 ` Gao feng
2012-11-16 16:35 ` [PATCH 11/11] pidns: Support unsharing the pid namespace Eric W. Biederman
2012-11-16 16:35 ` Eric W. Biederman
[not found] ` <1353083750-3621-11-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 2:55 ` Gao feng
2012-11-21 2:55 ` Gao feng
2012-12-19 18:14 ` Oleg Nesterov
2012-12-19 18:14 ` Oleg Nesterov
[not found] ` <20121219181400.GA22991-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 1:43 ` Eric W. Biederman [this message]
2012-12-21 1:43 ` Eric W. Biederman
[not found] ` <871uektc2f.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-21 15:49 ` Oleg Nesterov
2012-12-21 15:49 ` Oleg Nesterov
[not found] ` <20121221154931.GA18730-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-21 17:51 ` Eric W. Biederman
2012-12-21 17:51 ` Eric W. Biederman
[not found] ` <87fw2zmgzc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-21 19:24 ` Rob Landley
2012-12-21 19:24 ` Rob Landley
2012-12-21 22:58 ` namespace documentation Eric W. Biederman
2012-12-21 22:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871uektc2f.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.