From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
Eric Paris <eparis@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@redhat.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task->pid and task->tgid
Date: Tue, 27 Aug 2013 14:35:11 -0700 [thread overview]
Message-ID: <87ob8ihl68.fsf@xmission.com> (raw)
In-Reply-To: <20130827121133.GD10002@twins.programming.kicks-ass.net> (Peter Zijlstra's message of "Tue, 27 Aug 2013 14:11:33 +0200")
Peter Zijlstra <peterz@infradead.org> writes:
> On Mon, Aug 26, 2013 at 10:37:22PM -0400, Richard Guy Briggs wrote:
>> On Fri, Aug 23, 2013 at 08:36:21AM +0200, Peter Zijlstra wrote:
>> > Except that's not the case, with namespaces there's a clear hierarchy
>> > and the task_struct::pid is the one true value aka. root namespace.
>>
>> Peter, I agonized over the access efficiency of dropping this one or the
>> duplicate in task_struct::pids and this one was far easier to drop in
>> terms of somehow always forcing
>> task->pids[PIDTYPE_PID].pid->numbers[0].nr to point to task->pid.
>
> You mean there's more than 1 site that sets task_struct::pid? I thought
> we only assign that thing once in fork.c someplace.
No there is not and that is not a concern.
Now I had thought given how the perf subsystem was constructed that only
the god like root was even allowed to use the code. But it turns out
there is sysctl_perf_event_paranoid that can bet twiddled that in some
circumstance that unprivileged users are allowed to use perf. Which
ultimately means perf will return the wrong data.
Meaning that perf is broken by design and perf has no excuse to be using
task->pid. Similarly every other place in the kernel that has made the
same mistake. I mention perf explicitly for two reasons. perf gets the
namespace handling horribly wrong, perf is the only place in the kernel
where we are accessing pids frequently enough for an extra cache line
miss to be a concern.
When really pids in the kernel what we care about is not some stupid
number but the stuct pid which points to that tasks, process groups, and
sessions. You know the object that a pid is the name for.
So yes as a long term direction task->pid and task->tgid need to be
killed because we keep getting subsystems like perf that return the
wrong data to userspace, or perform the wrong checks, because the
current structure makes it seem like it is ok to do the wrong thing.
Now that should not be Richard's fight. Hopefully he can focus on
fixing audit.
> There's a few special cases, like the idle threads having pid-0 and
> 'simple' people like myself prefer to use task_struct::pid for debugging
> when we run our simple kernels without all this namespace stuff
> enabled.
Which is why a special printf format is likely a good idea because it
means you can easily print pids without needing to call ungainly helper
functions.
Of course you can't run kernels without this ``namespace'' stuff
enabled. The best you can do is run kernels without the ability to
create new instances of the namespaces.
> The entire task->pids[PIDTYPE_PID].pid->numbers[0].nr thing just seems
> increddibly unwieldy and double dereferences, even if the lines are
> 'hot' are worse than single derefs.
But it is so much better than having to look up task->pid in a hash
table to get anything done, which is the previous state of affairs.
When the pid namespace support was merged except for a few overlooked
corner cases everything was converted except a bunch of printk
statements. Now I look in the kernel and we have had subsystems added
that totally get the namespace handling wrong because it is easy and
apparently socially acceptable to mess up other peoples hard work.
Apparently even Linus yelling at people a few years back wasn't enough
for people to wake up and be responsible developers and use proper
abstractions. So the only valid long term direction I can see is to
remove all of the abstractions that make getting pid handling wrong,
and to fix all of the code that gets it wrong today. So that there are
no more bad examples in the kernel.
This isn't Richard's fight, and this isn't what needs to happen with
audit. Audit just needs to be fixed so that so that it reports pid
numbers the audit daemon can make sense of, and to do that the audit
should use helper functions that are pid namespace aware and make it
clear that the proper pid namespace is being used.
In the long term ->pid and ->tgid must die, and take all of this wrong
think with it.
Eric
next prev parent reply other threads:[~2013-08-27 21:35 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-20 21:31 [PATCH 00/12] RFC: steps to make audit pid namespace-safe Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 01/12] audit: Kill the unused struct audit_aux_data_capset Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 02/12] audit: fix netlink portid naming and types Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely Richard Guy Briggs
2013-08-27 17:21 ` Oleg Nesterov
2013-08-30 19:56 ` Richard Guy Briggs
2013-08-30 20:37 ` John Johansen
2013-08-30 22:41 ` [PATCH 1/3] apparmor: fix capability to not use the current task, during reporting John Johansen
2013-08-30 22:42 ` [PATCH 2/3] apparmor: remove tsk field from the apparmor_audit_struct John Johansen
2013-08-30 22:43 ` [PATCH 03/3] apparmor: remove parent task info from audit logging John Johansen
2013-09-03 18:31 ` [PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely Richard Guy Briggs
2013-12-11 14:47 ` Richard Guy Briggs
2013-12-11 16:44 ` John Johansen
2013-12-11 17:19 ` Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 04/12] audit: convert PPIDs to the inital PID namespace Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 05/12] pid: get pid_t of task in init_pid_ns correctly Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 06/12] audit: Simplify and correct audit_log_capset Richard Guy Briggs
2013-08-20 21:31 ` [PATCH 07/12] audit: store audit_pid as a struct pid pointer Richard Guy Briggs
2013-08-20 21:32 ` [PATCH 08/12] audit: anchor all pid references in the initial pid namespace Richard Guy Briggs
2013-08-20 21:32 ` [PATCH 09/12] pid: modify task_pid_nr to work without task->pid Richard Guy Briggs
2013-12-16 21:03 ` [PATCH] pid: change task_struct::pid to read-only Richard Guy Briggs
2013-12-17 9:58 ` Peter Zijlstra
[not found] ` <20131220044826.GF14944@madcap2.tricolour.ca>
2013-12-20 4:48 ` Richard Guy Briggs
2013-12-17 9:59 ` Peter Zijlstra
2013-12-17 15:36 ` Oleg Nesterov
2013-12-17 15:40 ` Oleg Nesterov
2013-12-20 19:01 ` Oleg Nesterov
2013-12-20 20:19 ` Richard Guy Briggs
2013-12-20 21:33 ` Peter Zijlstra
2013-12-22 16:03 ` Oleg Nesterov
2014-01-23 19:24 ` Richard Guy Briggs
[not found] ` <20131220140417.GE14884@madcap2.tricolour.ca>
2014-01-23 19:32 ` [PATCH 0/7][RFC] pid: changes to support audit Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 1/7] pid: change task_struct::pid to read-only Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 2/7] compiler: CONST_CAST makes writing const vars easier and obvious Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 3/7] pid: use the CONST_CAST macro instead to write to const task_struct::pid Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 4/7] pid: modify task_tgid_nr to work without task->tgid Richard Guy Briggs
2014-02-20 18:35 ` Oleg Nesterov
2014-02-21 20:47 ` Richard Guy Briggs
2014-02-24 18:40 ` Oleg Nesterov
2014-01-23 19:32 ` [PATCH 5/7] pid: rewrite task helper function is_global_init() avoiding task->pid Richard Guy Briggs
2014-02-20 18:39 ` Oleg Nesterov
2014-02-21 16:10 ` Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 6/7] pid: mark struct task const in helper functions Richard Guy Briggs
2014-01-23 19:32 ` [PATCH 7/7] pid: get pid_t ppid of task in init_pid_ns Richard Guy Briggs
2014-02-20 19:01 ` Oleg Nesterov
2014-02-21 18:10 ` Richard Guy Briggs
2014-02-24 18:32 ` Oleg Nesterov
2014-03-17 20:14 ` Tony Luck
2014-03-17 20:15 ` Eric Paris
2014-01-23 21:25 ` [PATCH 0/7][RFC] pid: changes to support audit Peter Zijlstra
2014-01-24 6:14 ` Richard Guy Briggs
2014-01-24 8:52 ` Peter Zijlstra
2014-01-24 14:31 ` Richard Guy Briggs
2014-02-19 16:18 ` Richard Guy Briggs
2014-02-19 17:47 ` Oleg Nesterov
2014-02-19 18:15 ` Richard Guy Briggs
2014-02-20 19:08 ` Oleg Nesterov
2013-08-20 21:32 ` [PATCH 10/12] pid: modify task_tgid_nr to work without task->tgid Richard Guy Briggs
2013-08-20 21:32 ` [PATCH 11/12] pid: rewrite task helper functions avoiding task->pid and task->tgid Richard Guy Briggs
2013-08-22 19:08 ` Oleg Nesterov
2013-08-26 22:07 ` Richard Guy Briggs
2013-08-27 16:15 ` Oleg Nesterov
2013-12-16 17:35 ` Richard Guy Briggs
2013-12-16 21:05 ` Oleg Nesterov
2013-12-16 22:20 ` Richard Guy Briggs
2013-12-17 9:34 ` Peter Zijlstra
2013-12-17 9:48 ` Peter Zijlstra
2013-12-20 4:54 ` Richard Guy Briggs
2013-08-22 20:05 ` Peter Zijlstra
2013-08-22 21:43 ` Richard Guy Briggs
2013-08-23 6:36 ` Peter Zijlstra
2013-08-27 2:37 ` Richard Guy Briggs
2013-08-27 12:11 ` Peter Zijlstra
2013-08-27 21:35 ` Eric W. Biederman [this message]
2013-08-28 8:16 ` Peter Zijlstra
2013-08-23 19:28 ` Oleg Nesterov
2013-08-27 3:04 ` Richard Guy Briggs
2013-08-27 17:11 ` Oleg Nesterov
2013-08-30 19:06 ` audit looks unmaintained? [was: Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task->pid and task->tgid] Richard Guy Briggs
2013-08-30 19:54 ` Steve Grubb
2013-09-08 15:54 ` Oleg Nesterov
2013-09-10 17:20 ` Oleg Nesterov
2013-09-13 18:42 ` Steve Grubb
2013-09-14 18:10 ` Oleg Nesterov
2013-09-13 18:28 ` Steve Grubb
2013-09-14 18:08 ` Oleg Nesterov
2013-08-20 21:32 ` [PATCH 12/12] pid: mark struct task const in helper functions Richard Guy Briggs
2013-12-23 22:27 ` [PATCH 0/5][RFC][v2] steps to make audit pid namespace-safe Richard Guy Briggs
2013-12-23 22:27 ` [PATCH 1/5] pid: get pid_t ppid of task in init_pid_ns Richard Guy Briggs
2013-12-30 17:04 ` Oleg Nesterov
2013-12-23 22:27 ` [PATCH 2/5] audit: convert PPIDs to the inital PID namespace Richard Guy Briggs
2013-12-30 17:07 ` Oleg Nesterov
2013-12-23 22:27 ` [PATCH 3/5] audit: store audit_pid as a struct pid pointer Richard Guy Briggs
2013-12-30 17:51 ` Oleg Nesterov
2014-01-21 23:37 ` Richard Guy Briggs
2013-12-23 22:27 ` [PATCH 4/5] audit: anchor all pid references in the initial pid namespace Richard Guy Briggs
2013-12-30 18:06 ` Oleg Nesterov
2014-02-19 20:28 ` Richard Guy Briggs
2013-12-23 22:27 ` [PATCH 5/5] audit: allow user processes to log from another PID namespace Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 0/5][RFC][v3] steps to make audit pid namespace-safe Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 1/5] pid: get pid_t ppid of task in init_pid_ns Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 2/5] audit: convert PPIDs to the inital PID namespace Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 3/5] audit: store audit_pid as a struct pid pointer Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 4/5] audit: anchor all pid references in the initial pid namespace Richard Guy Briggs
2014-02-19 20:57 ` [PATCH 5/5] audit: allow user processes to log from another PID namespace Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ob8ihl68.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).