From: ebiederm@xmission.com (Eric W. Biederman)
To: Oleg Nesterov <oleg@redhat.com>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
Lennart Poettering <lennart@poettering.net>,
Kay Sievers <kay.sievers@vrfy.org>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
John Stultz <john.stultz@linaro.org>,
Thomas Gleixner <tglx@linutronix.de>,
Nicolas Pitre <nicolas.pitre@linaro.org>,
Michal Hocko <mhocko@suse.com>,
Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>,
Mateusz Guzik <mguzik@redhat.com>,
linux-kernel@vger.kernel.org,
Pavel Emelyanov <xemul@virtuozzo.com>,
Konstantin Khorenko <khorenko@virtuozzo.com>
Subject: Re: setns() && PR_SET_CHILD_SUBREAPER
Date: Tue, 24 Jan 2017 07:21:11 +1300 [thread overview]
Message-ID: <87tw8p8wo8.fsf@xmission.com> (raw)
In-Reply-To: <20170123164420.GA2145@redhat.com> (Oleg Nesterov's message of "Mon, 23 Jan 2017 17:44:20 +0100")
Oleg Nesterov <oleg@redhat.com> writes:
> And this discussion reminds me again that I do not understand how setns()
> and PR_SET_CHILD_SUBREAPER should play together... Add cc's.
I agree that they are currently playing together incorrectly.
> Suppose we have a process P in the root namespace and another namespace X.
>
> P does setns() and enters the X namespace.
> P forks a child C.
>
> C forks a grandchild G.
> C exits.
>
> The question is, where should we reparent the grandchild G? In the normal
> case it will be reparented to X->child_reaper and this looks correct.
>
> But lets suppose that P runs with the ->has_child_subreaper bit set. In
> this case it will be reparented to P's sub-reaper or a global init, and
> given that P can't control its ->has_child_subreaper flag this does not
> look right to me.
>
> I can make a simple patch but perhaps I missed something or we actually
> want this (imo strange) behaviour?
We definitely do not want a child to be repareted out of a pid namespace
when the pid namespace has a perfectly fine child_reaper.
The special case for the init_task in find_new_reaper appears to be the
instance of this problem that was considered in the code.
Given the semantics described and asked for of PR_SET_CHILD_SUBREAPER I
believe has_child_subreaper needs to be strictly considered an
implementation detail and any way that userspace can observe it a bug in
the code.
Semantically what we want to do is walk up the parents in the process
tree. If a parent has is_child_subreaper we stop at it. If the
transition from one parent to the next we are switching pid namespaces
we want the reaper from the pid namespace.
As I recall has_child_subreaper was just supposed to be an optimization
so the common case would not have to walk up the process tree when
finding it's parent.
If we retain any optimizations such as has_child_subreaper please
consider the case where a process with is_child_subreaper set exits,
and what happens to it's children.
Eric
next prev parent reply other threads:[~2017-01-23 18:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 16:43 [PATCH] prctl: propagate has_child_subreaper flag to every descendant Pavel Tikhomirov
2017-01-20 18:14 ` Oleg Nesterov
2017-01-22 10:00 ` Pavel Tikhomirov
2017-01-22 10:11 ` Pavel Tikhomirov
2017-01-23 11:55 ` Oleg Nesterov
2017-01-23 12:52 ` task_is_descendant() cleanup Oleg Nesterov
2017-01-25 21:59 ` Kees Cook
2017-01-30 13:49 ` Oleg Nesterov
2017-01-23 14:30 ` [PATCH] prctl: propagate has_child_subreaper flag to every descendant Pavel Tikhomirov
2017-01-23 16:06 ` Oleg Nesterov
2017-01-23 11:57 ` [PATCH] introduce the walk_process_tree() helper Oleg Nesterov
2017-01-23 12:07 ` Oleg Nesterov
2017-01-24 15:01 ` Pavel Tikhomirov
2017-01-23 16:44 ` setns() && PR_SET_CHILD_SUBREAPER Oleg Nesterov
2017-01-23 18:21 ` Eric W. Biederman [this message]
2017-01-24 14:07 ` Oleg Nesterov
2017-01-24 15:24 ` Eric W. Biederman
2017-01-30 18:16 ` Oleg Nesterov
2017-01-30 18:17 ` [PATCH] exit: fix the setns() && PR_SET_CHILD_SUBREAPER interaction Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tw8p8wo8.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@openvz.org \
--cc=john.stultz@linaro.org \
--cc=kay.sievers@vrfy.org \
--cc=khorenko@virtuozzo.com \
--cc=lennart@poettering.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=ptikhomirov@virtuozzo.com \
--cc=skinsbursky@virtuozzo.com \
--cc=tglx@linutronix.de \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.