From: Ian Kent <ikent@redhat.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Kernel Mailing List <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Trond Myklebust <trond.myklebust@primarydata.com>,
"J. Bruce Fields" <bfields@fieldses.org>,
Benjamin Coddington <bcodding@redhat.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Jeff Layton <jeff.layton@primarydata.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [RFC PATCH 3/8] kmod - teach call_usermodehelper() to use a namespace
Date: Wed, 11 Feb 2015 08:40:25 +0800 [thread overview]
Message-ID: <1423615225.2599.25.camel@pluto.fritz.box> (raw)
In-Reply-To: <20150210165503.GA6797@redhat.com>
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
> On 02/10, Ian Kent wrote:
> >
> > On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
> > >
> > > I understand. but I still can't understand why we can't implement something
> > > like
> > > enter_ns(struct nsproxy *p)
> > > {
> > > new_nsproxy = create_new_namespaces(...);
> > >
> > > p->mnt_ns->ns->ops->install(new_nsproxy, ...);
> > > p->pid_ns_for_children->ns->ops->install(new_nsproxy, ...);
> > > ...
> > >
> > > switch_task_namespaces(new_nsproxy);
> > > }
> > >
> > > Why we should abuse fs/proc ?
> >
> > That sounds like a much better approach.
> > Your saying just take a reference to the nsproxy from the located
> > process and use it instead, right?
>
> Yes,
>
> > Working out if there's a difference with what you from the open is
> > challenging (I already tried), I'll have another go at it.
>
> I thinks there should not be any difference, but please re-check ;)
>
> > > And. Whatever we do, ops->install() or setns_inode() can't solve the problem with
> > > pid_ns. You need the additional clone() to "activate" it. pidns_install() does not
> > > actually change task_active_pid_ns().
> >
> > Right, but all this is done in preparation for the following do_execve()
> > call. Isn't that enough or am I missing something?
>
> Yes, but do_execve() doesn't (and shouldn't) change task_active_pid_ns(). Note
> the ->pid_ns_for_children's name. It is only used by copy_process()->alloc_pid().
Right, I vaguely recall seeing something like this earlier in the fork
procedure, I get it. I'll need to have a another look at it.
>
> task_active_pid_ns() uses task_pid() and we obviously can't change it.
>
> I am wondering if we can do something like
>
> kernel_thread_in_ns(struct nsproxy *ns, ...)
> {
> struct nsproxy *saved_ns = current->nsproxy;
> pid_t pid;
>
> task_lock(current);
> current->nsproxy = ns;
> task_unlock(current);
>
> pid = kernel_thread(...);
>
> task_lock(current);
> current->nsproxy = saved_ns;
> task_unlock(current);
>
> return pid;
> }
>
> used by __call_usermodehelper/wait_for_helper, instead of "enter_ns" from
> sub_info->init()...
Again, thanks for the suggestions.
You've given me a few things think about and check out.
Ian
next prev parent reply other threads:[~2015-02-11 0:40 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-05 2:33 [RFC PATCH 0/8] v3 contained usermode helper execution Ian Kent
2015-02-05 2:33 ` [RFC PATCH 1/8] nsproxy - refactor setns() Ian Kent
2015-02-05 2:34 ` [RFC PATCH 2/8] kmod - rename call_usermodehelper() flags parameter Ian Kent
2015-02-05 15:01 ` David Howells
2015-02-06 0:01 ` Ian Kent
2015-02-05 2:34 ` [RFC PATCH 3/8] kmod - teach call_usermodehelper() to use a namespace Ian Kent
2015-02-05 15:24 ` David Howells
2015-02-06 12:08 ` Jeff Layton
2015-02-08 3:07 ` Ian Kent
2015-02-08 15:22 ` Jeff Layton
2015-02-08 18:12 ` Oleg Nesterov
2015-02-08 19:00 ` Oleg Nesterov
2015-02-09 1:43 ` Ian Kent
2015-02-09 16:03 ` Oleg Nesterov
2015-02-10 0:08 ` Ian Kent
2015-02-10 16:55 ` Oleg Nesterov
2015-02-11 0:40 ` Ian Kent [this message]
2015-02-16 6:16 ` Ian Kent
2015-02-16 17:13 ` Oleg Nesterov
2015-02-16 18:24 ` Oleg Nesterov
2015-02-18 2:09 ` Ian Kent
2015-02-18 1:42 ` Ian Kent
2015-02-05 2:34 ` [RFC PATCH 4/8] KEYS - rename call_usermodehelper_keys() flags parameter Ian Kent
2015-02-05 2:34 ` [RFC PATCH 5/8] KEYS: exec request-key within the requesting task's init namespace Ian Kent
2015-02-05 15:14 ` David Howells
2015-02-06 1:47 ` Ian Kent
2015-02-18 17:06 ` J. Bruce Fields
2015-02-18 17:31 ` J. Bruce Fields
2015-02-18 20:59 ` J. Bruce Fields
2015-02-19 0:39 ` Ian Kent
2015-02-19 1:31 ` J. Bruce Fields
2015-02-19 3:18 ` Ian Kent
2015-02-20 9:33 ` Ian Kent
2015-02-20 17:25 ` J. Bruce Fields
2015-02-20 18:07 ` Eric W. Biederman
2015-02-20 18:58 ` Jeff Layton
2015-02-20 19:05 ` J. Bruce Fields
2015-02-21 3:58 ` Ian Kent
2015-02-23 14:52 ` J. Bruce Fields
2015-02-24 0:50 ` Ian Kent
2015-02-24 1:22 ` Benjamin Coddington
2015-02-24 8:01 ` Ian Kent
2015-02-24 15:33 ` J. Bruce Fields
2015-02-25 0:41 ` Benjamin Coddington
2015-02-05 2:34 ` [RFC PATCH 6/8] nfsd - use namespace if not executing in " Ian Kent
2015-02-18 17:37 ` J. Bruce Fields
2015-02-05 2:34 ` [RFC PATCH 7/8] nfs - cache_lib " Ian Kent
2015-02-05 2:34 ` [RFC PATCH 8/8] nfs - objlayout " Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1423615225.2599.25.camel@pluto.fritz.box \
--to=ikent@redhat.com \
--cc=bcodding@redhat.com \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jeff.layton@primarydata.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=trond.myklebust@primarydata.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).