From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-io0-f193.google.com ([209.85.223.193]:37892 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752155AbeFYWjX (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Mon, 25 Jun 2018 18:39:23 -0400
MIME-Version: 1.0
References: <87muvr58ak.fsf@xmission.com> <CA+55aFxTtemhGJweOKfATojapGzD-riaowDUSh65OA2pCB+w6Q@mail.gmail.com>
 <87d0wetyh2.fsf@xmission.com>
In-Reply-To: <87d0wetyh2.fsf@xmission.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 26 Jun 2018 06:39:11 +0800
Message-ID: <CA+55aFz9RSQuk6eN5p_1J=-iKUi3=qvaOi_Dqip=VsqzucJb4Q@mail.gmail.com>
Subject: Re: [GIT PULL] userns fixes for 4.17-rc2
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        astrachan@google.com, Andrew Morton <akpm@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        David Howells <dhowells@redhat.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Alexey Dobriyan <adobriyan@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Tue, Jun 26, 2018 at 4:15 AM Eric W. Biederman <ebiederm@xmission.com> wrote:
>
> I don't understand the feedback about only accepting something like this
> during the merge window.  The entire point of my change was to remove
> subtlety.  The code was very straight forward to test.

But it *doesn't* remove subtlety - it's just subtle in a different
way. Now it's subtle in the odd pid counting instead, and how  it
generates temporary kernel mounts all the time.

And the problem with the old code apparently went unnoticed for years,
and only hits some very odd cases. So there's real risk from the
hange.

> This is a silent regression of a security feature so it is possible some
> people have upgraded their kernel and not noticed the regression but are
> affected by the information leak not honoring hidepid introduces.  That
> seems to me to be a candidate for stable and thus an rc kernel.

Definitely not in the form you posted it. It's simply not obvious enough.

> Would you prefer a patch that does less towards fixing the root cause
> for now and to be backported to stable?

It's not about whether this is "root cause" or not. It's simply about
the changes being subtle and unclear, and the commits mixing things up
and not being legible enough that anybody can just go "yeah, that's
safe and obviously a fix".

The odd pid counting optimization wasn't even *explained* for
chrissake.  Never mind that the sysctl access code was mixed in with
the other changes.

So the way to get this merged is to make each step obvious and
independent. At that point I may go "yeah, this fixes a real issue and
doesn't introduce new ones".

As it is, it's not at all obvious that it doesn't introduce new issues.

                Linus