From: serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Cc: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org, gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org, tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org Subject: [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns Date: Mon, 4 Jan 2016 13:54:51 -0600 [thread overview] Message-ID: <1451937294-22589-7-git-send-email-serge.hallyn@ubuntu.com> (raw) In-Reply-To: <1451937294-22589-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> This patch enables cgroup mounting inside userns when a process as appropriate privileges. The cgroup filesystem mounted is rooted at the cgroupns-root. Thus, in a container-setup, only the hierarchy under the cgroupns-root is exposed inside the container. This allows container management tools to run inside the containers without depending on any global state. Signed-off-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> --- Changelog: 20151116 - Don't allow user namespaces to bind new subsystems 20151118 - postpone the FS_USERNS_MOUNT flag until the last patch, until we can convince ourselves it is safe. 20151207 - Switch to walking up the kernfs path from kn root. - Group initialized variables - Explain the capable(CAP_SYS_ADMIN) check - Style fixes 20160104 - kernfs_node_dentry: lock inode for lookup_one_len() Signed-off-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> --- fs/kernfs/mount.c | 2 ++ kernel/cgroup.c | 40 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c index 7224296..074bb8b 100644 --- a/fs/kernfs/mount.c +++ b/fs/kernfs/mount.c @@ -120,7 +120,9 @@ struct dentry *kernfs_node_dentry(struct kernfs_node *kn, kntmp = find_next_ancestor(kn, knparent); if (WARN_ON(!kntmp)) return ERR_PTR(-EINVAL); + mutex_lock(&d_inode(dentry)->i_mutex); dtmp = lookup_one_len(kntmp->name, dentry, strlen(kntmp->name)); + mutex_unlock(&d_inode(dentry)->i_mutex); dput(dentry); if (IS_ERR(dtmp)) return dtmp; diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 2bb58a1..d0bed8f 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -1983,6 +1983,7 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, { bool is_v2 = fs_type == &cgroup2_fs_type; struct super_block *pinned_sb = NULL; + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; struct cgroup_subsys *ss; struct cgroup_root *root; struct cgroup_sb_opts opts; @@ -1991,6 +1992,14 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, int i; bool new_sb; + get_cgroup_ns(ns); + + /* Check if the caller has permission to mount. */ + if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) { + put_cgroup_ns(ns); + return ERR_PTR(-EPERM); + } + /* * The first time anyone tries to mount a cgroup, enable the list * linking each css_set to its tasks and fix up all existing tasks. @@ -2106,6 +2115,16 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, goto out_unlock; } + /* + * We know this subsystem has not yet been bound. Users in a non-init + * user namespace may only mount hierarchies with no bound subsystems, + * i.e. 'none,name=user1' + */ + if (!opts.none && !capable(CAP_SYS_ADMIN)) { + ret = -EPERM; + goto out_unlock; + } + root = kzalloc(sizeof(*root), GFP_KERNEL); if (!root) { ret = -ENOMEM; @@ -2124,12 +2143,30 @@ out_free: kfree(opts.release_agent); kfree(opts.name); - if (ret) + if (ret) { + put_cgroup_ns(ns); return ERR_PTR(ret); + } out_mount: dentry = kernfs_mount(fs_type, flags, root->kf_root, is_v2 ? CGROUP2_SUPER_MAGIC : CGROUP_SUPER_MAGIC, &new_sb); + + /* + * In non-init cgroup namespace, instead of root cgroup's + * dentry, we return the dentry corresponding to the + * cgroupns->root_cgrp. + */ + if (!IS_ERR(dentry) && ns != &init_cgroup_ns) { + struct dentry *nsdentry; + struct cgroup *cgrp; + + cgrp = cset_cgroup_from_root(ns->root_cset, root); + nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); + dput(dentry); + dentry = nsdentry; + } + if (IS_ERR(dentry) || !new_sb) cgroup_put(&root->cgrp); @@ -2142,6 +2179,7 @@ out_mount: deactivate_super(pinned_sb); } + put_cgroup_ns(ns); return dentry; } -- 1.7.9.5
WARNING: multiple messages have this Message-ID (diff)
From: serge.hallyn@ubuntu.com To: linux-kernel@vger.kernel.org Cc: adityakali@google.com, tj@kernel.org, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, cgroups@vger.kernel.org, lxc-devel@lists.linuxcontainers.org, akpm@linux-foundation.org, ebiederm@xmission.com, gregkh@linuxfoundation.org, lizefan@huawei.com, hannes@cmpxchg.org, Serge Hallyn <serge.hallyn@ubuntu.com>, Serge Hallyn <serge.hallyn@canonical.com> Subject: [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns Date: Mon, 4 Jan 2016 13:54:51 -0600 [thread overview] Message-ID: <1451937294-22589-7-git-send-email-serge.hallyn@ubuntu.com> (raw) In-Reply-To: <1451937294-22589-1-git-send-email-serge.hallyn@ubuntu.com> From: Serge Hallyn <serge.hallyn@ubuntu.com> This patch enables cgroup mounting inside userns when a process as appropriate privileges. The cgroup filesystem mounted is rooted at the cgroupns-root. Thus, in a container-setup, only the hierarchy under the cgroupns-root is exposed inside the container. This allows container management tools to run inside the containers without depending on any global state. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> --- Changelog: 20151116 - Don't allow user namespaces to bind new subsystems 20151118 - postpone the FS_USERNS_MOUNT flag until the last patch, until we can convince ourselves it is safe. 20151207 - Switch to walking up the kernfs path from kn root. - Group initialized variables - Explain the capable(CAP_SYS_ADMIN) check - Style fixes 20160104 - kernfs_node_dentry: lock inode for lookup_one_len() Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> --- fs/kernfs/mount.c | 2 ++ kernel/cgroup.c | 40 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c index 7224296..074bb8b 100644 --- a/fs/kernfs/mount.c +++ b/fs/kernfs/mount.c @@ -120,7 +120,9 @@ struct dentry *kernfs_node_dentry(struct kernfs_node *kn, kntmp = find_next_ancestor(kn, knparent); if (WARN_ON(!kntmp)) return ERR_PTR(-EINVAL); + mutex_lock(&d_inode(dentry)->i_mutex); dtmp = lookup_one_len(kntmp->name, dentry, strlen(kntmp->name)); + mutex_unlock(&d_inode(dentry)->i_mutex); dput(dentry); if (IS_ERR(dtmp)) return dtmp; diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 2bb58a1..d0bed8f 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -1983,6 +1983,7 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, { bool is_v2 = fs_type == &cgroup2_fs_type; struct super_block *pinned_sb = NULL; + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; struct cgroup_subsys *ss; struct cgroup_root *root; struct cgroup_sb_opts opts; @@ -1991,6 +1992,14 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, int i; bool new_sb; + get_cgroup_ns(ns); + + /* Check if the caller has permission to mount. */ + if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) { + put_cgroup_ns(ns); + return ERR_PTR(-EPERM); + } + /* * The first time anyone tries to mount a cgroup, enable the list * linking each css_set to its tasks and fix up all existing tasks. @@ -2106,6 +2115,16 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, goto out_unlock; } + /* + * We know this subsystem has not yet been bound. Users in a non-init + * user namespace may only mount hierarchies with no bound subsystems, + * i.e. 'none,name=user1' + */ + if (!opts.none && !capable(CAP_SYS_ADMIN)) { + ret = -EPERM; + goto out_unlock; + } + root = kzalloc(sizeof(*root), GFP_KERNEL); if (!root) { ret = -ENOMEM; @@ -2124,12 +2143,30 @@ out_free: kfree(opts.release_agent); kfree(opts.name); - if (ret) + if (ret) { + put_cgroup_ns(ns); return ERR_PTR(ret); + } out_mount: dentry = kernfs_mount(fs_type, flags, root->kf_root, is_v2 ? CGROUP2_SUPER_MAGIC : CGROUP_SUPER_MAGIC, &new_sb); + + /* + * In non-init cgroup namespace, instead of root cgroup's + * dentry, we return the dentry corresponding to the + * cgroupns->root_cgrp. + */ + if (!IS_ERR(dentry) && ns != &init_cgroup_ns) { + struct dentry *nsdentry; + struct cgroup *cgrp; + + cgrp = cset_cgroup_from_root(ns->root_cset, root); + nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); + dput(dentry); + dentry = nsdentry; + } + if (IS_ERR(dentry) || !new_sb) cgroup_put(&root->cgrp); @@ -2142,6 +2179,7 @@ out_mount: deactivate_super(pinned_sb); } + put_cgroup_ns(ns); return dentry; } -- 1.7.9.5
next prev parent reply other threads:[~2016-01-04 19:54 UTC|newest] Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-01-04 19:54 CGroup Namespaces (v9) serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-04 19:54 ` [PATCH 2/8] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace serge.hallyn 2016-01-04 19:54 ` serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA [not found] ` <1451937294-22589-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2016-01-04 19:54 ` [PATCH 1/8] kernfs: Add API to generate relative kernfs path serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-04 19:54 ` [PATCH 2/8] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` [PATCH 3/8] cgroup: introduce cgroup namespaces serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` [PATCH 4/8] cgroup: cgroup namespace setns support serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-04 19:54 ` [PATCH 5/8] kernfs: define kernfs_node_dentry serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-04 19:54 ` serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA [this message] 2016-01-04 19:54 ` [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns serge.hallyn 2016-01-04 19:54 ` [PATCH 7/8] cgroup: Add documentation for cgroup namespaces serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-04 19:54 ` [PATCH 8/8] Add FS_USERNS_FLAG to cgroup fs serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 19:54 ` serge.hallyn 2016-01-05 0:53 ` CGroup Namespaces (v9) Serge E. Hallyn 2016-01-04 19:54 ` [PATCH 3/8] cgroup: introduce cgroup namespaces serge.hallyn 2016-01-04 19:54 ` serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2016-01-04 20:20 ` Serge E. Hallyn 2016-01-04 20:20 ` Serge E. Hallyn 2016-01-04 21:47 ` Johannes Weiner 2016-01-04 21:47 ` Johannes Weiner [not found] ` <20160104202053.GA23238-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2016-01-04 21:47 ` Johannes Weiner 2016-01-05 2:07 ` [PATCH 3/8 v2] " Serge E. Hallyn 2016-01-05 2:07 ` Serge E. Hallyn 2016-01-06 2:17 ` [PATCH 3/8 v3] " Serge E. Hallyn 2016-01-06 2:17 ` Serge E. Hallyn [not found] ` <20160105020709.GA26351-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2016-01-06 2:17 ` Serge E. Hallyn [not found] ` <1451937294-22589-4-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2016-01-04 20:20 ` [PATCH 3/8] " Serge E. Hallyn 2016-01-05 2:07 ` [PATCH 3/8 v2] " Serge E. Hallyn 2016-01-05 0:53 ` CGroup Namespaces (v9) Serge E. Hallyn 2016-01-05 0:53 ` Serge E. Hallyn 2016-01-05 19:36 ` Serge E. Hallyn 2016-01-05 19:36 ` Serge E. Hallyn [not found] ` <20160105005308.GA25695-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2016-01-05 19:36 ` Serge E. Hallyn -- strict thread matches above, loose matches on Subject: below -- 2016-01-29 8:54 CGroup Namespaces (v10) serge.hallyn 2016-01-29 8:54 ` [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns serge.hallyn 2016-01-29 8:54 ` serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA [not found] ` <1454057651-23959-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2016-01-29 8:54 ` serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2015-12-23 4:23 CGroup Namespaces (v8) serge.hallyn [not found] ` <1450844609-9194-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2015-12-23 4:23 ` [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2015-12-23 4:23 ` serge.hallyn [not found] ` <1450844609-9194-7-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2015-12-31 13:38 ` Sergey Senozhatsky 2015-12-31 13:38 ` Sergey Senozhatsky 2016-01-01 0:58 ` Serge E. Hallyn 2016-01-01 0:58 ` Serge E. Hallyn 2016-01-01 0:58 ` Serge E. Hallyn [not found] ` <20160101005843.GA26243-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2016-01-01 1:17 ` Sergey Senozhatsky 2016-01-01 1:17 ` Sergey Senozhatsky 2016-01-01 1:56 ` Tejun Heo 2016-01-01 1:56 ` Tejun Heo 2015-12-09 19:28 CGroup Namespaces (v7) serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA [not found] ` <1449689341-28742-1-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> 2015-12-09 19:28 ` [PATCH 6/8] cgroup: mount cgroupns-root when inside non-init cgroupns serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA 2015-12-09 19:28 ` serge.hallyn
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1451937294-22589-7-git-send-email-serge.hallyn@ubuntu.com \ --to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \ --cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \ --cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \ --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \ --cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \ --cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \ --cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org \ --cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.