From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH] Move console redirect to pid namespace Date: Thu, 14 Feb 2013 20:23:31 -0800 Message-ID: <87d2w29pdo.fsf@xmission.com> References: <1360376920-30824-1-git-send-email-minyard@acm.org> <20130209191409.643c3d7f@neptune.home> <87r4kkuj4o.fsf@xmission.com> <511D9890.1040900@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <511D9890.1040900-HInyCGIudOg@public.gmane.org> (Corey Minyard's message of "Thu, 14 Feb 2013 20:08:16 -0600") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: minyard-HInyCGIudOg@public.gmane.org Cc: Corey Minyard , Bruno =?utf-8?Q?Pr=C3=A9mont?= , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Linux Kernel List-Id: containers.vger.kernel.org Q29yZXkgTWlueWFyZCA8dGNtaW55YXJkQGdtYWlsLmNvbT4gd3JpdGVzOgoKPiBPbiAwMi8xMy8y MDEzIDAxOjA4IFBNLCBFcmljIFcuIEJpZWRlcm1hbiB3cm90ZToKPj4gQnJ1bm8gUHLDqW1vbnQg PGJvbmJvbnNAbGludXgtdnNlcnZlci5vcmc+IHdyaXRlczoKPj4KPj4+IENDaW5nIGNvbnRhaW5l cnMgbGlzdAo+Pj4KPj4+IE9uIEZyaSwgMDggRmVicnVhcnkgMjAxMyBtaW55YXJkQGFjbS5vcmcg d3JvdGU6Cj4+Pj4gRnJvbTogQ29yZXkgTWlueWFyZCA8Y21pbnlhcmRAbXZpc3RhLmNvbT4KPj4+ Pgo+Pj4+IFRoZSBjb25zb2xlIHJlZGlyZWN0IC0gaW9jdGwoZmQsIFRJT0NDT05TKSAtIGlzIG5v dCBpbiBhIG5hbWVzcGFjZSwKPj4+PiB0aHVzIGEgY29udGFpbmVyIGNhbiBkbyBhIHJlZGlyZWN0 IGFuZCBncmFiIGFsbCB0aGUgSS9PIG9uIHRoZSBob3N0Cj4+Pj4gYW5kIGFsbCBjb250YWluZXIg Y29uc29sZXMuCj4+Pj4KPj4+PiBUaGlzIGNoYW5nZSBwdXRzIHRoZSByZWRpcmVjdCBpbiB0aGUg cGlkIG5hbWVzcGFjZS4KPj4+Pgo+Pj4+IFNpZ25lZC1vZmYtYnk6IENvcmV5IE1pbnlhcmQgPGNt aW55YXJkQG12aXN0YS5jb20+Cj4+Pj4gLS0tCj4+Pj4KPj4+PiBJJ20gcHJldHR5IHN1cmUgdGhp cyBwYXRjaCBpcyBub3QgY29ycmVjdCwgYnV0IEknbSBub3QgcXVpdGUgc3VyZSB0aGUKPj4+PiBi ZXN0IHdheSB0byBmaXggdGhpcy4gIEknbSBub3QgMTAwJSBzdXJlIHRoYXQgdGhlIHBpZCBuYW1l c3BhY2UgaXMgdGhlCj4+Pj4gcmlnaHQgcGxhY2UsIGJ1dCBpdCBzZWVtZWQgdGhlIG1vc3QgcmVh c29uYWJsZSBvZiBhbGwgdGhlIGNob2ljZXMuICBUaGUKPj4+PiBvdGhlciBvYnZpb3VzIGNob2lj ZSBpcyB0aGUgbW91bnQgbmFtZXNwYWNlLCBidXQgaXQgZGlkbid0IHNlZW0gYXMgZ29vZAo+Pj4+ IGEgZml0Lgo+Pj4gV2l0aCByZWNlbnQgY2hhbmdlcywgdHlpbmcgaXQgdG8gaW5pdCB1c2VyIG5h bWVzcGFjZSBtaWdodCBldmVuIGJlCj4+PiBiZXR0ZXIuCj4+IFdpdGggcmVjZW50IGNoYW5nZXMg dGhpcyBpcyB0aWVkIHRvIHRoZSBpbml0aWFsIHVzZXIgbmFtZXNwYWNlLiAgU28gdGhlCj4+IHNp bXBsZSBzb2x1dGlvbiB0byB0aGlzIGFuZCBzbyBtYW55IG90aGVyIHNpbWlsaWFyIHNlY3VyaXR5 IHByb2JsZW1zIGlzCj4+IHRvIHJ1biB5b3VyIGNvbnRhaW5lciBpbiBhIHVzZXIgbmFtZXNwYWNl Lgo+Pgo+PiBUaGUgcGVybWlzc2lvbiBjaGVjayBjdXJyZW50bHkgaXMgY2FwYWJsZShDQVBfU1lT X0FETUlOKSB3aGljaCByZXF1aXJlcwo+PiB0aGUgY2FsbGVyIHRvIGhhdmUgdGhlIENBUF9TWVNf QURNSU4gaW4gdGhlIGluaXRpYWwgdXNlciBuYW1lc3BhY2UuCj4KPiBJJ20gbm90IHN1cmUgSSBm b2xsb3cuICBBcmUgdGhlc2UgY2hhbmdlcyBpbiBrLm9yZywgb3IgaW4gYW5vdGhlcgo+IHJlcG9z aXRvcnkgc29tZXBsYWNlPwoKSW4gay5vcmcuIDMuNyB3b3VsZCB3b3JrLiAzLjgtcmNYIHdvdWxk IHdvcmsgZXZlbiBiZXR0ZXIuCgpyb290IGluIGEgdXNlciBuYW1lc3BhY2UgZG9lcyBub3QgaGF2 ZSBwZXJtaXNzaW9uIHRvIGNhbGwgVElPQ0NPTlMuCgo+PiBJcyB0aGVyZSBhIGRlc2lyZSB0byBo YXZlIFRJT0NDT05TIG5vdCBqdXN0IGZhaWwgaW4gYSBjb250YWluZXIgYnV0IHRvCj4+IGhhdmUg VElPQ0NPTlMgd29yayBpbiBhIGNvbnRhaW5lciBzcGVjaWZpYyB3YXk/Cj4KPiBXZWxsLCBteSBk ZXNpcmUgaXMgZm9yIHRoZSBob3N0IGNvbnNvbGUgdG8gd29yayBwcm9wZXJseSBpZiBhCj4gY29u dGFpbmVyIHVzZXMgVElPQ0NPTlMgOi0pLiAgSXQgc2VlbXMgdG8gbWUgdGhhdCB0aGUgbW9zdCBj b25zaXN0ZW50Cj4gd2F5IHRvIGhhbmRsZSB0aGlzIGlzIHRvIGhhdmUgVElPQ0NPTlMgaW4gYSBj b250YWluZXIgcmVkaXJlY3QgdGhlCj4gY29udGFpbmVyJ3MgY29uc29sZS4KCkxhc3QgSSBsb29r ZWQgcGVvcGxlIHdlcmUgY3JlYXRpbmcgYSByZWd1bGFyeSBwdHkgYW5kIHVzaW5nIHRoYXQgaW4K L2Rldi8gZm9yIHRoZWlyIGNvbnRhaW5lcnMuICBTbyB0aGUgZW1wZXJpY2FsIGV2aWRlbmNlIGlz IHRoYXQgVElPQ0NPTlMKaXMgbm90IG5lZWRlZC4gIFdoYXQgY2FzZSBhcmUgeW91IGxvb2tpbmcg YXQgdGhhdCBuZWVkcyBUSU9DQ09OUz8KCklmIHRoZXJlIGlzIGdvb2QgY2F1c2Ugd2UgY2FuIG1h a2UgVElPQ0NPTlMgd29yayBidXQgd2UgbmVlZCBhCmNvbXBlbGxpbmcgY2FzZSBiZXlvbmQgcm9v dCBpbiBhIGNvbnRhaW5lciBjYW4gZG8gYmFkIHRoaW5ncy4KCj4+Pj4gVGhlIG90aGVyIHByb2Js ZW0gaXMgdGhhdCBJIGRvbid0IHRoaW5rIHlvdSBjYW4gY2FsbCBmcHV0KCkgZnJvbQo+Pj4+IGRl c3Ryb3lfcGlkX25hbWVzcGFjZSgpLiAgVGhhdCBjYW4gYmUgY2FsbGVkIGZyb20gaW50ZXJydXB0 IGNvbnRleHQsCj4+Pj4gYW5kIEkgZG9uJ3QgdGhpbmsgZnB1dCgpIGlzIHNhZmUgdGhlcmUuICBJ IGtub3cgaXQncyBub3Qgc2FmZSBpbiAzLjQKPj4+PiB3aXRoIHRoZSBSVCBwYXRjaCBhcHBsaWVk LiAgSG93ZXZlciwgdGhlIG9ubHkgd2F5IEkndmUgY29tZSB1cCB3aXRoIHRvCj4+Pj4gZml4IGl0 IGlzIHRvIGFkZCBhIHdvcmtxdWV1ZSwgYW5kIHRoYXQgc2VlbXMgYSBiaXQgaGVhdnkgZm9yIHRo aXMuCj4+IEFjdHVhbGx5IGdldHRpbmcgZGVzdHJveV9waWRfbmFtZXNwYWNlIG91dCBvZiBpbnRl cnJ1cHQgY29udGV4dCB3b3VsZG4ndAo+PiBiZSB0aGUgd29yc3QgdGhpbmcgaW4gdGhlIHdvcmxk Lgo+Cj4gSSB3b3VsZCBhZ3JlZSwgYnV0IGl0IHdvdWxkIHN0aWxsIHJlcXVpcmUgc29tZXRoaW5n IGxpa2UgYSB3b3JrcXVldWUuCj4gSXMgdGhlcmUgYSBiZXR0ZXIgbWVjaGFuaXNtPwoKSXQgbWln aHQgYmUgYXMgc2ltcGxlIGFzIGZpbmRpbmcgYWxsIG9mIHRoZSBwdXRfcGlkcyBhbmQgbW92aW5n IHRoZW0gb3V0Cm9mIHNwaW5fbG9jayBjcml0aWNhbCBzZWN0aW9ucy4gIEkgZG9uJ3Qga25vdyB0 aGF0IHdlIGRyb3AgcGlkcyBpbgphY3R1YWwgaW50ZXJydXB0IGNvbnRleHQuCgpFcmljCgpfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpDb250YWluZXJzIG1h aWxpbmcgbGlzdApDb250YWluZXJzQGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0dHBzOi8v bGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2NvbnRhaW5lcnM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935348Ab3BOEXm (ORCPT ); Thu, 14 Feb 2013 23:23:42 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:48638 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932735Ab3BOEXk convert rfc822-to-8bit (ORCPT ); Thu, 14 Feb 2013 23:23:40 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: minyard@acm.org Cc: Bruno =?utf-8?Q?Pr=C3=A9mont?= , Corey Minyard , containers@lists.linux-foundation.org, Linux Kernel References: <1360376920-30824-1-git-send-email-minyard@acm.org> <20130209191409.643c3d7f@neptune.home> <87r4kkuj4o.fsf@xmission.com> <511D9890.1040900@acm.org> Date: Thu, 14 Feb 2013 20:23:31 -0800 In-Reply-To: <511D9890.1040900@acm.org> (Corey Minyard's message of "Thu, 14 Feb 2013 20:08:16 -0600") Message-ID: <87d2w29pdo.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-XM-AID: U2FsdGVkX19x4GFt8AMPTTKXzffSCHsTixq0hfl19hQ= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * -3.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] * 0.4 FVGT_m_MULTI_ODD Contains multiple odd letter combinations X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;minyard@acm.org X-Spam-Relay-Country: Subject: Re: [PATCH] Move console redirect to pid namespace X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Corey Minyard writes: > On 02/13/2013 01:08 PM, Eric W. Biederman wrote: >> Bruno Prémont writes: >> >>> CCing containers list >>> >>> On Fri, 08 February 2013 minyard@acm.org wrote: >>>> From: Corey Minyard >>>> >>>> The console redirect - ioctl(fd, TIOCCONS) - is not in a namespace, >>>> thus a container can do a redirect and grab all the I/O on the host >>>> and all container consoles. >>>> >>>> This change puts the redirect in the pid namespace. >>>> >>>> Signed-off-by: Corey Minyard >>>> --- >>>> >>>> I'm pretty sure this patch is not correct, but I'm not quite sure the >>>> best way to fix this. I'm not 100% sure that the pid namespace is the >>>> right place, but it seemed the most reasonable of all the choices. The >>>> other obvious choice is the mount namespace, but it didn't seem as good >>>> a fit. >>> With recent changes, tying it to init user namespace might even be >>> better. >> With recent changes this is tied to the initial user namespace. So the >> simple solution to this and so many other similiar security problems is >> to run your container in a user namespace. >> >> The permission check currently is capable(CAP_SYS_ADMIN) which requires >> the caller to have the CAP_SYS_ADMIN in the initial user namespace. > > I'm not sure I follow. Are these changes in k.org, or in another > repository someplace? In k.org. 3.7 would work. 3.8-rcX would work even better. root in a user namespace does not have permission to call TIOCCONS. >> Is there a desire to have TIOCCONS not just fail in a container but to >> have TIOCCONS work in a container specific way? > > Well, my desire is for the host console to work properly if a > container uses TIOCCONS :-). It seems to me that the most consistent > way to handle this is to have TIOCCONS in a container redirect the > container's console. Last I looked people were creating a regulary pty and using that in /dev/ for their containers. So the emperical evidence is that TIOCCONS is not needed. What case are you looking at that needs TIOCCONS? If there is good cause we can make TIOCCONS work but we need a compelling case beyond root in a container can do bad things. >>>> The other problem is that I don't think you can call fput() from >>>> destroy_pid_namespace(). That can be called from interrupt context, >>>> and I don't think fput() is safe there. I know it's not safe in 3.4 >>>> with the RT patch applied. However, the only way I've come up with to >>>> fix it is to add a workqueue, and that seems a bit heavy for this. >> Actually getting destroy_pid_namespace out of interrupt context wouldn't >> be the worst thing in the world. > > I would agree, but it would still require something like a workqueue. > Is there a better mechanism? It might be as simple as finding all of the put_pids and moving them out of spin_lock critical sections. I don't know that we drop pids in actual interrupt context. Eric