From: ebiederm@xmission.com (Eric W. Biederman)
To: Oleg Nesterov <oleg@redhat.com>
Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>,
Andrew Morton <akpm@osdl.org>,
roland@redhat.com, daniel@hozac.com,
Containers <containers@lists.osdl.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 7/7][v8] SI_USER: Masquerade si_pid when crossing pid ns boundary
Date: Thu, 19 Feb 2009 14:18:46 -0800 [thread overview]
Message-ID: <m1fxiayss9.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20090219185159.GA374@redhat.com> (Oleg Nesterov's message of "Thu\, 19 Feb 2009 19\:51\:59 +0100")
Oleg Nesterov <oleg@redhat.com> writes:
> On 02/19, Eric W. Biederman wrote:
>>
>> Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com> writes:
>>
>> > From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
>> > Date: Wed, 24 Dec 2008 14:14:18 -0800
>> > Subject: [PATCH 7/7][v8] SI_USER: Masquerade si_pid when crossing pid ns
>> > boundary
>> >
>> > When sending a signal to a descendant namespace, set ->si_pid to 0 since
>> > the sender does not have a pid in the receiver's namespace.
>> >
>> > Note:
>> > - If rt_sigqueueinfo() sets si_code to SI_USER when sending a
>> > signal across a pid namespace boundary, the value in ->si_pid
>> > will be cleared to 0.
>> >
>> > Changelog[v5]:
>> > - (Oleg Nesterov) Address both sys_kill() and sys_tkill() cases
>> > in send_signal() to simplify code (this drops patch 7/7 from
>> > earlier version of patchset).
>> >
>> > Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
>> > ---
>> > kernel/signal.c | 2 ++
>> > 1 files changed, 2 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/kernel/signal.c b/kernel/signal.c
>> > index c94355b..a416d77 100644
>> > --- a/kernel/signal.c
>> > +++ b/kernel/signal.c
>> > @@ -883,6 +883,8 @@ static int __send_signal(int sig, struct siginfo *info,
>> > struct task_struct *t,
>> > break;
>> > default:
>> > copy_siginfo(&q->info, info);
>> > + if (from_ancestor_ns)
>> > + q->info.si_pid = 0;
>>
>> This is wrong. siginfo is a union and you need to inspect
>> code to see if si_pid is present in the current union.
>
> SI_FROMUSER() == T, unless we have more (hopefully not) in-kernel
> users which send SI_FROMUSER() signals, .si_pid must be valid?
So the argument is that while things such as force_sig_info(SIGSEGV)
don't have a si_pid we don't care because from_ancestor_ns == 0.
Interesting. Then I don't know if we have any kernel senders
that cross the namespace boundaries.
That said I still object to this code.
sys_kill(-pgrp, SIGUSR1)
kill_something_info(SIGUSR1, &info, 0)
__kill_pgrp_info(SIGUSR1, &info task_pgrp(current))
group_send_sig_info(SIGUSR1, &info, tsk)
__group_send_sig_info(SIGUSR1, &info, tsk)
send_signal(SIGUSR1, &info, tsk, 1)
__send_signal(SIGUSR1, &info, tsk, 1)
Process groups and sessions can have processes in multiple pid
namespaces, which is very useful for not messing up your controlling
terminal.
In which case sys_kill cannot possibly set the si_pid value correct
and from_ancestor_ns is not enough either.
So I see two valid policies with setting si_pid. Push the work
out to the callers of send_signal (kill_pgrp in this case). And
know you have a valid set of siginfo values. Or handle the work
in send_signal.
Given that except for process groups we don't send the same siginfo
to multiple processes simply generating the right siginfo values
from the start appears easy enough.
I am not current with the current rule: the caller of send_signal will
do all of the work except for sometimes. I don't see how we can figure
out which code path has the bug in it with a rule like that.
Eric
next prev parent reply other threads:[~2009-02-19 22:18 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-19 3:02 [PATCH 0/7][v8] Container-init signal semantics Sukadev Bhattiprolu
2009-02-19 3:05 ` [PATCH 1/7][v8] Remove 'handler' parameter to tracehook functions Sukadev Bhattiprolu
2009-02-19 3:05 ` [PATCH 2/7][v8] Protect init from unwanted signals more Sukadev Bhattiprolu
2009-02-19 3:06 ` [PATCH 3/7][v8] Add from_ancestor_ns parameter to send_signal() Sukadev Bhattiprolu
2009-02-19 3:06 ` [PATCH 4/7][v8] Protect cinit from unblocked SIG_DFL signals Sukadev Bhattiprolu
[not found] ` <20090219030207.GA18783-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-02-19 3:07 ` [PATCH 5/7][v8] zap_pid_ns_process() should use force_sig() Sukadev Bhattiprolu
2009-02-19 3:07 ` Sukadev Bhattiprolu
[not found] ` <20090219030704.GE18990-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-02-19 18:59 ` Oleg Nesterov
2009-02-19 18:59 ` Oleg Nesterov
2009-02-19 20:26 ` Sukadev Bhattiprolu
2009-02-19 3:07 ` [PATCH 6/7][v8] Protect cinit from blocked fatal signals Sukadev Bhattiprolu
2009-02-19 3:07 ` Sukadev Bhattiprolu
2009-02-19 20:53 ` [PATCH 0/7][v8] Container-init signal semantics Oleg Nesterov
2009-02-19 20:53 ` Oleg Nesterov
2009-02-19 3:07 ` [PATCH 7/7][v8] SI_USER: Masquerade si_pid when crossing pid ns boundary Sukadev Bhattiprolu
2009-02-19 16:11 ` Eric W. Biederman
[not found] ` <m1y6w21k6d.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-19 18:51 ` Oleg Nesterov
2009-02-19 18:51 ` Oleg Nesterov
2009-02-19 22:18 ` Eric W. Biederman [this message]
[not found] ` <m1fxiayss9.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-19 22:31 ` Oleg Nesterov
2009-02-19 22:31 ` Oleg Nesterov
2009-02-19 23:21 ` Eric W. Biederman
2009-02-19 23:51 ` Roland McGrath
2009-02-19 23:51 ` Roland McGrath
2009-02-20 0:35 ` Eric W. Biederman
[not found] ` <m1bpsyt05t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-20 1:06 ` Roland McGrath
2009-02-20 1:06 ` Roland McGrath
2009-02-20 2:12 ` Eric W. Biederman
2009-02-20 3:10 ` Roland McGrath
2009-02-20 3:10 ` Roland McGrath
2009-02-20 4:05 ` Eric W. Biederman
[not found] ` <m1fxiaxbb5.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-20 0:28 ` Oleg Nesterov
2009-02-20 0:28 ` Oleg Nesterov
2009-02-20 1:16 ` Eric W. Biederman
2009-02-19 14:59 ` [PATCH 0/7][v8] Container-init signal semantics Daniel Lezcano
2009-03-07 19:04 ` Sukadev Bhattiprolu
2009-03-07 19:43 ` Daniel Lezcano
2009-03-07 19:51 ` Greg Kurz
2009-03-07 19:59 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1fxiayss9.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@osdl.org \
--cc=containers@lists.osdl.org \
--cc=daniel@hozac.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.