From: yumkam@gmail.com (Yuriy M. Kaminskiy)
To: util-linux@vger.kernel.org
Subject: Re: [PATCH 2/2] unshare: allow persisting mount namespaces
Date: Sat, 30 Jan 2016 06:52:36 +0300 [thread overview]
Message-ID: <m31t8zhgfv.fsf@gmail.com> (raw)
In-Reply-To: 20150410081733.GM3923@ws.net.home
Karel Zak <kzak@redhat.com> writes:
(this was commited as c84f2590dfdb8570beeb731e0105f8fe597443d1)
> +static void bind_ns_files_from_child(pid_t *child)
> +{
> + pid_t ppid = getpid();
> + ino_t ino = get_mnt_ino(ppid);
> +
> + *child = fork();
> +
> + switch(*child) {
> + case -1:
> + err(EXIT_FAILURE, _("fork failed"));
> + case 0: /* child */
> + do {
> + /* wait until parent unshare() */
> + ino_t new_ino = get_mnt_ino(ppid);
> + if (ino != new_ino)
> + break;
> + } while (1);
Racing? Suppose, parent died (e.g. unshare(2) failed), (parent) process
was reaped, new (unrelated) process was created with same pid, as a
result this function will bind namespaces from wrong process. (That
said, pretty unlikely, and no idea how to properly fix it).
> + bind_ns_files(ppid);
> + exit(EXIT_SUCCESS);
> + break;
> + default: /* parent */
> + break;
> + }
> +}
> +
> static void usage(int status)
> {
> FILE *out = status == EXIT_SUCCESS ? stdout : stderr;
> @@ -248,6 +289,8 @@ int main(int argc, char *argv[])
> int unshare_flags = 0;
> int c, forkit = 0, maproot = 0;
> const char *procmnt = NULL;
> + pid_t pid = 0;
> + int status;
> unsigned long propagation = UNSHARE_PROPAGATION_DEFAULT;
> uid_t real_euid = geteuid();
> gid_t real_egid = getegid();;
> @@ -316,12 +359,35 @@ int main(int argc, char *argv[])
> }
> }
>
> + if (npersists && (unshare_flags & CLONE_NEWNS))
> + bind_ns_files_from_child(&pid);
> +
> if (-1 == unshare(unshare_flags))
> err(EXIT_FAILURE, _("unshare failed"));
>
> + if (npersists) {
> + if (pid && (unshare_flags & CLONE_NEWNS)) {
> + /* wait for bind_ns_files_from_child() */
> + int rc;
> +
> + do {
> + rc = waitpid(pid, &status, 0);
> + if (rc < 0) {
> + if (errno == EINTR)
> + continue;
> + err(EXIT_FAILURE, _("waitpid failed"));
> + }
> + if (WIFEXITED(status) &&
> + WEXITSTATUS(status) != EXIT_SUCCESS)
> + return WEXITSTATUS(status);
> + } while (rc < 0);
> + } else
> + /* simple way, just bind */
> + bind_ns_files(getpid());
> + }
> +
> if (forkit) {
> - int status;
> - pid_t pid = fork();
> + pid = fork();
>
> switch(pid) {
> case -1:
> @@ -339,8 +405,6 @@ int main(int argc, char *argv[])
> }
> }
>
> - if (npersists)
> - bind_ns_files(getpid());
>
> if (maproot) {
> if (setgrpcmd == SETGROUPS_ALLOW)
next prev parent reply other threads:[~2016-01-30 3:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 11:22 [PATCH 1/2] unshare: allow persisting namespaces Karel Zak
2015-04-09 11:22 ` [PATCH 2/2] unshare: allow persisting mount namespaces Karel Zak
2015-04-09 17:07 ` Eric W. Biederman
2015-04-10 8:17 ` Karel Zak
2016-01-30 3:52 ` Yuriy M. Kaminskiy [this message]
2016-01-30 13:31 ` Yuriy M. Kaminskiy
2016-02-01 10:41 ` Karel Zak
2016-02-01 14:31 ` Yuriy M. Kaminskiy
2016-02-02 10:14 ` Karel Zak
2016-02-17 13:07 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m31t8zhgfv.fsf@gmail.com \
--to=yumkam@gmail.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox