* [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context @ 2018-08-16 7:34 Andrei Vagin 2018-08-16 22:16 ` Andrei Vagin ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: Andrei Vagin @ 2018-08-16 7:34 UTC (permalink / raw) To: David Howells; +Cc: linux-fsdevel, Andrei Vagin, Andrei Vagin A user namespace should be taken from a pidns for which a procfs is created. Signed-off-by: Andrei Vagin <avagin@gmail.com> --- fs/proc/root.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/proc/root.c b/fs/proc/root.c index 1d6e5bfa30cc..1419b48a89ab 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns) if (IS_ERR(fc)) return PTR_ERR(fc); + if (fc->user_ns != ns->user_ns) { + put_user_ns(fc->user_ns); + fc->user_ns = get_user_ns(ns->user_ns); + } + ctx = fc->fs_private; if (ctx->pid_ns != ns) { put_pid_ns(ctx->pid_ns); -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context 2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin @ 2018-08-16 22:16 ` Andrei Vagin 2018-08-21 7:33 ` David Howells 2018-08-21 7:39 ` David Howells 2 siblings, 0 replies; 4+ messages in thread From: Andrei Vagin @ 2018-08-16 22:16 UTC (permalink / raw) To: David Howells; +Cc: linux-fsdevel Hi David, I reported this problem about a month ago when patches were not in the linux-next. Now they are there and we can't run CRIU tests, because it is impossible to mount /proc in a container. [root@fc24 ~]# strace unshare -Urnm --mount-proc true unshare(CLONE_NEWNS|CLONE_NEWNET|CLONE_NEWUSER) = 0 openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3 write(3, "deny", 4) = 4 close(3) = 0 openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY) = 3 write(3, "0 0 1", 5) = 5 close(3) = 0 openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY) = 3 write(3, "0 0 1", 5) = 5 close(3) = 0 mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 mount("none", "/proc", NULL, MS_REC|MS_PRIVATE, NULL) = 0 mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EBUSY (Device or resource busy) https://travis-ci.org/avagin/linux/jobs/416641093 Thanks, Andrei On Thu, Aug 16, 2018 at 12:34 AM Andrei Vagin <avagin@openvz.org> wrote: > > A user namespace should be taken from a pidns for which a procfs is created. > > Signed-off-by: Andrei Vagin <avagin@gmail.com> > --- > fs/proc/root.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/proc/root.c b/fs/proc/root.c > index 1d6e5bfa30cc..1419b48a89ab 100644 > --- a/fs/proc/root.c > +++ b/fs/proc/root.c > @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns) > if (IS_ERR(fc)) > return PTR_ERR(fc); > > + if (fc->user_ns != ns->user_ns) { > + put_user_ns(fc->user_ns); > + fc->user_ns = get_user_ns(ns->user_ns); > + } > + > ctx = fc->fs_private; > if (ctx->pid_ns != ns) { > put_pid_ns(ctx->pid_ns); > -- > 2.17.1 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context 2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin 2018-08-16 22:16 ` Andrei Vagin @ 2018-08-21 7:33 ` David Howells 2018-08-21 7:39 ` David Howells 2 siblings, 0 replies; 4+ messages in thread From: David Howells @ 2018-08-21 7:33 UTC (permalink / raw) To: Andrei Vagin Cc: dhowells, linux-fsdevel, Andrei Vagin, Eric Biederman, Alexander Viro Andrei Vagin <avagin@openvz.org> wrote: > A user namespace should be taken from a pidns for which a procfs is created. That would seem wrong. Shouldn't the superblock user_ns be from the mounter? Adding Al and Eric to the list to get their opinion. David > Signed-off-by: Andrei Vagin <avagin@gmail.com> > --- > fs/proc/root.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/proc/root.c b/fs/proc/root.c > index 1d6e5bfa30cc..1419b48a89ab 100644 > --- a/fs/proc/root.c > +++ b/fs/proc/root.c > @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns) > if (IS_ERR(fc)) > return PTR_ERR(fc); > > + if (fc->user_ns != ns->user_ns) { > + put_user_ns(fc->user_ns); > + fc->user_ns = get_user_ns(ns->user_ns); > + } > + > ctx = fc->fs_private; > if (ctx->pid_ns != ns) { > put_pid_ns(ctx->pid_ns); ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context 2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin 2018-08-16 22:16 ` Andrei Vagin 2018-08-21 7:33 ` David Howells @ 2018-08-21 7:39 ` David Howells 2 siblings, 0 replies; 4+ messages in thread From: David Howells @ 2018-08-21 7:39 UTC (permalink / raw) Cc: dhowells, Andrei Vagin, linux-fsdevel, Andrei Vagin, Eric Biederman, Alexander Viro David Howells <dhowells@redhat.com> wrote: > > A user namespace should be taken from a pidns for which a procfs is created. > > That would seem wrong. Shouldn't the superblock user_ns be from the mounter? Ah, no. The change is correct. What the patch description doesn't mention is that this is when a new pid namespace is setting up its own proc filesystem. I'll change the subject and patch body to: proc: Set correct userns for new proc super created by a new pid_namespace Fix the setting up a new proc superblock for a new pid_namespace such that the user_ns for that proc superblock needs to be taken from the new pid_namespace and not the active process. which I think describes it better. David ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-08-21 10:58 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin 2018-08-16 22:16 ` Andrei Vagin 2018-08-21 7:33 ` David Howells 2018-08-21 7:39 ` David Howells
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).