From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756155AbbHFVXg (ORCPT ); Thu, 6 Aug 2015 17:23:36 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:34181 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754138AbbHFVXe (ORCPT ); Thu, 6 Aug 2015 17:23:34 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Oleg Nesterov Cc: "Kirill A. Shutemov" , Andrew Morton , Kees Cook , David Howells , linux-kernel@vger.kernel.org, Peter Zijlstra , Ingo Molnar , "Kirill A. Shutemov" , Rik van Riel , Vladimir Davydov , Ricky Zhou , Julien Tinnes References: <20150728171500.GA2871@www.outflux.net> <20150728143504.5aa996ba5955522a19c2d5f1@linux-foundation.org> <20150728221111.GA23391@node.dhcp.inet.fi> <20150805172356.GA20490@redhat.com> <87wpx9sjhq.fsf@x220.int.ebiederm.org> <87614tr2jd.fsf@x220.int.ebiederm.org> <20150806143541.GA9414@redhat.com> Date: Thu, 06 Aug 2015 16:16:44 -0500 In-Reply-To: <20150806143541.GA9414@redhat.com> (Oleg Nesterov's message of "Thu, 6 Aug 2015 16:35:41 +0200") Message-ID: <87fv3wkthf.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1+ukWPHfjznN7vFa9JViozp/EontM0FRCY= X-SA-Exim-Connect-IP: 67.3.205.173 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Oleg Nesterov X-Spam-Relay-Country: X-Spam-Timing: total 417 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 4.0 (1.0%), b_tie_ro: 3.0 (0.7%), parse: 3.1 (0.7%), extract_message_metadata: 5 (1.2%), get_uri_detail_list: 2.3 (0.6%), tests_pri_-1000: 4.9 (1.2%), tests_pri_-950: 1.53 (0.4%), tests_pri_-900: 1.25 (0.3%), tests_pri_-400: 30 (7.1%), check_bayes: 28 (6.7%), b_tokenize: 9 (2.2%), b_tok_get_all: 9 (2.2%), b_comp_prob: 3.5 (0.8%), b_tok_touch_all: 3.3 (0.8%), b_finish: 0.93 (0.2%), tests_pri_0: 349 (83.8%), tests_pri_500: 6 (1.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] user_ns: use correct check for single-threadedness X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Oleg Nesterov writes: > On 08/05, Eric W. Biederman wrote: >> >> So I have to ask. > > I hope you are asking someone else, not me ;) I never understood what > exactly we try to restrict and why. I think I was just asking rhetorically, and asking myself. >> Is it possible to rework these checks such that we >> look at the sighand struct and signal sharing handling sharing instead >> of the count on the mm_struct? > > Then why we can't simply check thread_group_empty() == T ? Why should we > worry about CLONE_SIGHAND at all? thread_group_empty() for a thread group with a single member is a confusing name. CLONE_SIGHAND is just a hair excessive, you have to at least look at your per thread register to see which namespace to interpret the values of the signals in. I suppose that is confusing but not totally fatal. Without changing the semantics, just correcting the implementation of the code we have now this is the code I get: diff --git a/kernel/fork.c b/kernel/fork.c index 1bfefc6f96a4..c95757c15fcb 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1866,13 +1866,13 @@ static int check_unshare_flags(unsigned long unshare_flags) CLONE_NEWUSER|CLONE_NEWPID)) return -EINVAL; /* - * Not implemented, but pretend it works if there is nothing to - * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND - * needs to unshare vm. + * Not implemented, but pretend it works if there is nothing + * to unshare. Note that unsharing the address space or the + * signal handlers also need to unshare the signal queues (aka + * CLONE_THREAD). */ - if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) { - /* FIXME: get_task_mm() increments ->mm_users */ - if (atomic_read(¤t->mm->mm_users) > 1) + if (unshare_flags & CLONE_THREAD) { + if (!thread_group_empty(current)) return -EINVAL; } @@ -1936,21 +1936,23 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) int err; /* - * If unsharing a user namespace must also unshare the thread. + * If unsharing a user namespace must also unshare the signal + * handlers and unshare the filesystem root and working + * directories. */ if (unshare_flags & CLONE_NEWUSER) - unshare_flags |= CLONE_THREAD | CLONE_FS; - /* - * If unsharing a thread from a thread group, must also unshare vm. - */ - if (unshare_flags & CLONE_THREAD) - unshare_flags |= CLONE_VM; + unshare_flags |= CLONE_SIGHAND | CLONE_FS; /* * If unsharing vm, must also unshare signal handlers. */ if (unshare_flags & CLONE_VM) unshare_flags |= CLONE_SIGHAND; /* + * If unsharing a signal handlers, must also unshare the signal queues. + */ + if (unshare_flags & CLONE_SIGHAND) + unshare_flags |= CLONE_THREAD; + /* * If unsharing namespace, must also unshare filesystem information. */ if (unshare_flags & CLONE_NEWNS) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 4109f8320684..45a5cbf97715 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -976,8 +976,8 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) if (user_ns == current_user_ns()) return -EINVAL; - /* Threaded processes may not enter a different user namespace */ - if (atomic_read(¤t->mm->mm_users) > 1) + /* Shared signal handlers must live in the same user namespace */ + if (atomic_read(¤t->sighand->count) > 1) return -EINVAL; if (current->fs->users != 1)