From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.12 08/27] fork: Allow CLONE_PARENT after setns(CLONE_NEWPID)
Date: Thu, 23 Jan 2014 11:06:45 -0800 [thread overview]
Message-ID: <20140123190649.534378268@linuxfoundation.org> (raw)
In-Reply-To: <20140123190648.720195687@linuxfoundation.org>
3.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 1f7f4dde5c945f41a7abc2285be43d918029ecc5 upstream.
Serge Hallyn <serge.hallyn@ubuntu.com> writes:
> Hi Oleg,
>
> commit 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e :
> "fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks"
> breaks lxc-attach in 3.12. That code forks a child which does
> setns() and then does a clone(CLONE_PARENT). That way the
> grandchild can be in the right namespaces (which the child was
> not) and be a child of the original task, which is the monitor.
>
> lxc-attach in 3.11 was working fine with no side effects that I
> could see. Is there a real danger in allowing CLONE_PARENT
> when current->nsproxy->pidns_for_children is not our pidns,
> or was this done out of an "over-abundance of caution"? Can we
> safely revert that new extra check?
The two fundamental things I know we can not allow are:
- A shared signal queue aka CLONE_THREAD. Because we compute the pid
and uid of the signal when we place it in the queue.
- Changing the pid and by extention pid_namespace of an existing
process.
>>From a parents perspective there is nothing special about the pid
namespace, to deny CLONE_PARENT, because the parent simply won't know or
care.
>>From the childs perspective all that is special really are shared signal
queues.
User mode threading with CLONE_PARENT|CLONE_VM|CLONE_SIGHAND and tasks
in different pid namespaces is almost certainly going to break because
it is complicated. But shared signal handlers can look at per thread
information to know which pid namespace a process is in, so I don't know
of any reason not to support CLONE_PARENT|CLONE_VM|CLONE_SIGHAND threads
at the kernel level. It would be absolutely stupid to implement but
that is a different thing.
So hmm.
Because it can do no harm, and because it is a regression let's remove
the CLONE_PARENT check and send it stable.
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1175,7 +1175,7 @@ static struct task_struct *copy_process(
* do not allow it to share a thread group or signal handlers or
* parent with the forking task.
*/
- if (clone_flags & (CLONE_SIGHAND | CLONE_PARENT)) {
+ if (clone_flags & CLONE_SIGHAND) {
if ((clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) ||
(task_active_pid_ns(current) !=
current->nsproxy->pid_ns_for_children))
next prev parent reply other threads:[~2014-01-23 19:06 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-23 19:06 [PATCH 3.12 00/27] 3.12.9-stable review Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 01/27] Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs" Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 02/27] perf/x86/amd/ibs: Fix waking up from S3 for AMD family 10h Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 03/27] GFS2: Increase i_writecount during gfs2_setattr_chown Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 04/27] staging: comedi: addi_apci_1032: fix subdevice type/flags bug Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 05/27] staging: comedi: adl_pci9111: fix incorrect irq passed to request_irq() Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 06/27] vfs: In d_path dont call d_dname on a mount point Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 07/27] vfs: Fix a regression in mounting proc Greg Kroah-Hartman
2014-01-23 19:06 ` Greg Kroah-Hartman [this message]
2014-01-23 19:06 ` [PATCH 3.12 09/27] i2c: Re-instate body of i2c_parent_is_i2c_adapter() Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 10/27] hwmon: (coretemp) Fix truncated name of alarm attributes Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 11/27] writeback: Fix data corruption on NFS Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 12/27] SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 13/27] thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 14/27] ftrace/x86: Load ftrace_ops in parameter not the variable holding it Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 15/27] crash_dump: fix compilation error (on MIPS at least) Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 16/27] mm: fix crash when using XFS on loopback Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 17/27] nilfs2: fix segctor bug that causes file system corruption Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 18/27] drm/i915: fix DDI PLLs HW state readout code Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 19/27] md: fix problem when adding device to read-only array with bitmap Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 20/27] md/raid10: fix bug when raid10 recovery fails to recover a block Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 21/27] md/raid10: fix two bugs in handling of known-bad-blocks Greg Kroah-Hartman
2014-01-23 19:06 ` [PATCH 3.12 22/27] md/raid5: Fix possible confusion when multiple write errors occur Greg Kroah-Hartman
2014-01-23 19:07 ` [PATCH 3.12 23/27] mm: Make {,set}page_address() static inline if WANT_PAGE_VIRTUAL Greg Kroah-Hartman
2014-01-23 19:07 ` [PATCH 3.12 24/27] serial: amba-pl011: use port lock to guard control register access Greg Kroah-Hartman
2014-01-23 19:07 ` [PATCH 3.12 25/27] ARM: 7934/1: DT/kernel: fix arch_match_cpu_phys_id to avoid erroneous match Greg Kroah-Hartman
2014-01-23 19:07 ` [PATCH 3.12 27/27] ARM: 7938/1: OMAP4/highbank: Flush L2 cache before disabling Greg Kroah-Hartman
2014-01-23 23:20 ` [PATCH 3.12 00/27] 3.12.9-stable review Guenter Roeck
2014-01-24 4:11 ` Greg Kroah-Hartman
2014-01-24 5:17 ` Guenter Roeck
2014-01-24 15:19 ` Shuah Khan
2014-01-24 19:39 ` Radim Krčmář
2014-01-25 0:05 ` Greg Kroah-Hartman
2014-02-03 13:36 ` Luis Henriques
2014-01-25 14:08 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140123190649.534378268@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).