From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754416AbbCaDPK (ORCPT ); Mon, 30 Mar 2015 23:15:10 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:36718 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754249AbbCaDPF (ORCPT ); Mon, 30 Mar 2015 23:15:05 -0400 X-Sasl-enc: IVK/6Xqo0Uows1vYPX83nCBjzLqgdJw717Yx9l8oggUx 1427771704 Subject: [RFC PATCH 5 2/7] kmod - teach usermodehelper to use service workqueues From: Ian Kent To: Kernel Mailing List Cc: David Howells , Oleg Nesterov , Trond Myklebust , "J. Bruce Fields" , Benjamin Coddington , Al Viro , Jeff Layton , "Eric W. Biederman" Date: Tue, 31 Mar 2015 11:14:50 +0800 Message-ID: <20150331031449.10464.73117.stgit@pluto.fritz.box> In-Reply-To: <20150331030340.10464.30272.stgit@pluto.fritz.box> References: <20150331030340.10464.30272.stgit@pluto.fritz.box> User-Agent: StGit/0.17-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The call_usermodehelper() function executes all binaries in the global "init" root context. This doesn't allow a binary to be run within a namespace environment such as a container. To do this the namespace environment of the contaner must be available to provide the required execution environment. This can be done by creating a service thread, identified by issuing a token identifier, used when executing the helper with a function that takes the token as a parameter. Signed-off-by: Ian Kent Cc: Benjamin Coddington Cc: Al Viro Cc: J. Bruce Fields Cc: David Howells Cc: Trond Myklebust Cc: Oleg Nesterov Cc: Eric W. Biederman Cc: Jeff Layton --- include/linux/kmod.h | 5 +++++ kernel/kmod.c | 38 +++++++++++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/include/linux/kmod.h b/include/linux/kmod.h index fa46722..9a9fcb3 100644 --- a/include/linux/kmod.h +++ b/include/linux/kmod.h @@ -56,6 +56,7 @@ struct file; struct subprocess_info { struct work_struct work; struct completion *complete; + int wq_token; char *path; char **argv; char **envp; @@ -72,6 +73,10 @@ extern void umh_wq_put_token(int token); extern int call_usermodehelper(char *path, char **argv, char **envp, int wait); +extern int +call_usermodehelper_service(char *path, char **argv, + char **envp, int token, int wait); + extern struct subprocess_info * call_usermodehelper_setup(char *path, char **argv, char **envp, gfp_t gfp_mask, int (*init)(struct subprocess_info *info, struct cred *new), diff --git a/kernel/kmod.c b/kernel/kmod.c index 55d20ce..47c5ff5 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -712,6 +712,7 @@ EXPORT_SYMBOL(call_usermodehelper_setup); */ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) { + static struct workqueue_struct *wq; DECLARE_COMPLETION_ONSTACK(done); int retval = 0; @@ -720,7 +721,8 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) return -EINVAL; } helper_lock(); - if (!khelper_wq || usermodehelper_disabled) { + wq = umh_find_wq(sub_info->wq_token, wait); + if (!wq || usermodehelper_disabled) { retval = -EBUSY; goto out; } @@ -732,7 +734,7 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) sub_info->complete = (wait == UMH_NO_WAIT) ? NULL : &done; sub_info->wait = wait; - queue_work(khelper_wq, &sub_info->work); + queue_work(wq, &sub_info->work); if (wait == UMH_NO_WAIT) /* task has freed sub_info */ goto unlock; @@ -759,19 +761,21 @@ unlock: EXPORT_SYMBOL(call_usermodehelper_exec); /** - * call_usermodehelper() - prepare and start a usermode application + * call_usermodehelper_service() - start a usermode application within + * a service environment. * @path: path to usermode executable * @argv: arg vector for process * @envp: environment for process + * @token: token corresponding to a service environment obtained by a + * call to umh_wq_get_token(). * @wait: wait for the application to finish and return status. * when UMH_NO_WAIT don't wait at all, but you get no useful error back * when the program couldn't be exec'ed. This makes it safe to call * from interrupt context. - * - * This function is the equivalent to use call_usermodehelper_setup() and - * call_usermodehelper_exec(). */ -int call_usermodehelper(char *path, char **argv, char **envp, int wait) +int call_usermodehelper_service(char *path, + char **argv, char **envp, + int token, int wait) { struct subprocess_info *info; gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL; @@ -780,9 +784,29 @@ int call_usermodehelper(char *path, char **argv, char **envp, int wait) NULL, NULL, NULL); if (info == NULL) return -ENOMEM; + info->wq_token = token; return call_usermodehelper_exec(info, wait); } +EXPORT_SYMBOL(call_usermodehelper_service); + +/** + * call_usermodehelper() - prepare and start a usermode application + * @path: path to usermode executable + * @argv: arg vector for process + * @envp: environment for process + * @wait: wait for the application to finish and return status. + * when UMH_NO_WAIT don't wait at all, but you get no useful error back + * when the program couldn't be exec'ed. This makes it safe to call + * from interrupt context. + * + * This function is the equivalent to using call_usermodehelper_setup() and + * call_usermodehelper_exec(). + */ +int call_usermodehelper(char *path, char **argv, char **envp, int wait) +{ + return call_usermodehelper_service(path, argv, envp, 0, wait); +} EXPORT_SYMBOL(call_usermodehelper); static int proc_cap_handler(struct ctl_table *table, int write,