From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Alexey Dobriyan <adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH 4/5] cr: checkpoint and restore task credentials
Date: Thu, 14 May 2009 08:54:44 -0500 [thread overview]
Message-ID: <20090514135444.GB3980@us.ibm.com> (raw)
In-Reply-To: <20090514081850.GA21115-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
Quoting Alexey Dobriyan (adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> On Mon, May 11, 2009 at 11:05:39AM -0500, Serge E. Hallyn wrote:
> > --- a/checkpoint/objhash.c
> > +++ b/checkpoint/objhash.c
> > +#define CKPT_MAXGROUPS 15
> > +#define MAX_GROUPINFO_SIZE (sizeof(*h)+CKPT_MAXGROUPS*sizeof(gid_t))
> > +/* move this fn into kernel/sys.c next to group functions? */
> > +static int checkpoint_write_groupinfo(struct ckpt_ctx *ctx,
> > + struct group_info *g)
> > +{
> > + int ret, i, size;
> > + struct ckpt_hdr_groupinfo *h;
> > +
> > + if (g->ngroups > CKPT_MAXGROUPS) {
> > + ckpt_debug("Too many groups: %d (max is %d)\n",
> > + g->ngroups, CKPT_MAXGROUPS);
> > + return -E2BIG;
> > + }
>
> Ooh, a hack :-)
Yup - actually I originally only had this at restart, and we must
have it there to protect from malicious checkpoint images.
I copied it into the restart code during a cleanup phase, and I
probably shouldn't have.
> > + size = sizeof(*h) + g->ngroups * sizeof(__u32);
> > + h = ckpt_hdr_get_type(ctx, size, CKPT_HDR_GROUPINFO);
> > + if (!h)
> > + return -ENOMEM;
> > +
> > + h->ngroups = g->ngroups;
> > + for (i = 0; i < g->ngroups; i++)
> > + h->groups[i] = GROUP_AT(g, i);
> > +
> > + ret = ckpt_write_obj(ctx, (struct ckpt_hdr *) h);
> > + ckpt_hdr_put(ctx, h);
> > +
> > + return ret;
> > +}
>
> > +/*
> > + * write the user struct
> > + * TODO keyring will need to be dumped
> > + */
> > +#define UNSAVED_NS_MAX 5
>
> Another hack :-)
>
> This is an invitation to discuss what to do with references to future,
> especially given that object image can be variable-size _and_
> streamability on dump.
>
> In case of user->user_ns->creator, we can avoid the issue and dump creator
> first.
In fact I do dump the creator first. Note first that this '5' is not just
for 5 levels of (user->user_ns)->(creator->user_ns)->..., but for 5
such levels where there are no tasks in any of the intermediate user
namespaces. So a task did a
1. T1: T2=clone(CLONE_NEWNS)
2. T1: exit T2: T3=clone(CLONE_NEWNS)
3. T2: exit T3: T4=clone(CLONE_NEWNS)
4. T3: exit T4: t5=clone(CLONE_NEWNS)
As with groups, I think I agree with you that we don't need such a
limit at checkpoint time. But we need some kind of sanity check at
restart time. How about 5000?
thanks,
-serge
next prev parent reply other threads:[~2009-05-14 13:54 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-11 16:04 [PATCH 0/5] cr: attempt at task userid restoration Serge E. Hallyn
[not found] ` <20090511160424.GA12234-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-11 16:05 ` [PATCH 1/5] cr: break out new_user_ns() Serge E. Hallyn
2009-05-11 16:05 ` [PATCH 2/5] cr: split core function out of some set*{u,g}id functions Serge E. Hallyn
2009-05-11 16:05 ` [PATCH 3/5] cr: capabilities: define checkpoint and restore fns Serge E. Hallyn
2009-05-11 16:05 ` [PATCH 4/5] cr: checkpoint and restore task credentials Serge E. Hallyn
[not found] ` <20090511160539.GD12286-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-12 12:34 ` [PATCH 1/1] cr: child user namespace must grab ref to creator Serge E. Hallyn
2009-05-14 8:18 ` [PATCH 4/5] cr: checkpoint and restore task credentials Alexey Dobriyan
[not found] ` <20090514081850.GA21115-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
2009-05-14 10:52 ` Alexey Dobriyan
[not found] ` <20090514105252.GA31197-2ev+ksY9ol182hYKe6nXyg@public.gmane.org>
2009-05-14 13:58 ` Serge E. Hallyn
2009-05-14 13:54 ` Serge E. Hallyn [this message]
2009-05-11 16:05 ` [PATCH 5/5] cr: restore file->f_cred Serge E. Hallyn
[not found] ` <20090511160512.GB12286-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-05-11 16:24 ` [PATCH 2/5] cr: split core function out of some set*{u, g}id functions David Howells
[not found] ` <22104.1242059047-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-05-11 18:08 ` [PATCH 2/5] cr: split core function out of some set*{u,g}id functions Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090514135444.GB3980@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox