From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from out02.mta.xmission.com ([166.70.13.232]:33233 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751223AbdHFD6Y (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 5 Aug 2017 23:58:24 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@suse.de>
Cc: Aleksa Sarai <ASarai@suse.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Jess Frazelle <acidburn@google.com>,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
References: <20170805165226.31398-1-asarai@suse.com>
        <d312a69af58e68a64a1332e8327cbe99@suse.de>
Date: Sat, 05 Aug 2017 22:50:00 -0500
In-Reply-To: <d312a69af58e68a64a1332e8327cbe99@suse.de> (Aleksa Sarai's
        message of "Sun, 06 Aug 2017 03:58:27 +1000")
Message-ID: <87h8xlicd3.fsf@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [PATCH] sched: debug: use task_pid_vnr in /proc/$pid/sched
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Aleksa Sarai <asarai@suse.de> writes:

> On 2017-08-06 02:52, Aleksa Sarai wrote:
>> It appears as though the addition of the PID namespace did not update
>> the output code for /proc/$pid/sched, which made it trivial to figure
>> out whether a process was inside &init_pid_ns from userspace (making
>> container detection trivial[1]). This lead to situations such as:
>>
>>   % unshare -pf head -n1 /proc/self/sched
>>   head (10047, #threads: 1)
>>
>> Fix this by just using task_pid_vnr for the output of /proc/$pid/sched.
>> All of the other uses of task_pid_nr in kernel/sched/debug.c are from a
>> sysctl context and thus don't need to be namespaced.
>>
>> [1]: https://github.com/jessfraz/amicontained


>>
>> Cc: <stable@vger.kernel.org>
>> Cc: Jess Frazelle <acidburn@google.com>
>> Signed-off-by: Aleksa Sarai <asarai@suse.com>
>> ---
>>  kernel/sched/debug.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
>> index 4fa66de52bd6..a06acbe33e16 100644
>> --- a/kernel/sched/debug.c
>> +++ b/kernel/sched/debug.c
>> @@ -876,7 +876,7 @@ void proc_sched_show_task(struct task_struct *p,
>> struct seq_file *m)
>>  {
>>  	unsigned long nr_switches;
>>
>> -	SEQ_printf(m, "%s (%d, #threads: %d)\n", p->comm, task_pid_nr(p),
>> +	SEQ_printf(m, "%s (%d, #threads: %d)\n", p->comm, task_pid_vnr(p),
>>  						get_nr_threads(p));
>>  	SEQ_printf(m,
>>  		"---------------------------------------------------------"
>
> Added Eric to Cc.

Changing this to pid_nr_ns, to make this relative to the pid namespace
of proc would be very reasonable.

Making files content relative to current is in general a bug.

Hiding the fact you are contained is not an explicit goal.  But making
those things that are reasonably in a namespace relative to that
namespace is.

Eric