From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi1-f195.google.com ([209.85.167.195]:38587 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726418AbeJIUBK (ORCPT ); Tue, 9 Oct 2018 16:01:10 -0400 Received: by mail-oi1-f195.google.com with SMTP id u197-v6so1086429oif.5 for ; Tue, 09 Oct 2018 05:44:22 -0700 (PDT) MIME-Version: 1.0 References: <20181009103752.21482-1-laurent@vivier.eu> <20181009103752.21482-2-laurent@vivier.eu> In-Reply-To: <20181009103752.21482-2-laurent@vivier.eu> From: Jann Horn Date: Tue, 9 Oct 2018 14:43:56 +0200 Message-ID: Subject: Re: [RFC v5 1/1] ns: add binfmt_misc to the user namespace To: Laurent Vivier Cc: kernel list , "Eric W. Biederman" , dima@arista.com, Linux API , James Bottomley , Al Viro , linux-fsdevel@vger.kernel.org, avagin@gmail.com, containers@lists.linux-foundation.org Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Oct 9, 2018 at 12:38 PM Laurent Vivier wrote: > This patch allows to have a different binfmt_misc configuration > for each new user namespace. By default, the binfmt_misc configuration > is the one of the previous level, but if the binfmt_misc filesystem is > mounted in the new namespace a new empty binfmt instance is created and > used in this namespace. > > For instance, using "unshare" we can start a chroot of an another > architecture and configure the binfmt_misc interpreter without being root > to run the binaries in this chroot. [...] > @@ -823,12 +847,34 @@ static const struct super_operations s_ops = { > static int bm_fill_super(struct super_block *sb, void *data, int silent) > { > int err; > + struct user_namespace *ns = sb->s_user_ns; > static const struct tree_descr bm_files[] = { > [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO}, > [3] = {"register", &bm_register_operations, S_IWUSR}, > /* last one */ {""} > }; > > + /* create a new binfmt namespace > + * if we are not in the first user namespace > + * but the binfmt namespace is the first one > + */ > + if (READ_ONCE(ns->binfmt_ns) == NULL) { > + struct binfmt_namespace *new_ns; > + > + new_ns = kmalloc(sizeof(struct binfmt_namespace), > + GFP_KERNEL); > + if (new_ns == NULL) > + return -ENOMEM; > + INIT_LIST_HEAD(&new_ns->entries); > + new_ns->enabled = 1; > + rwlock_init(&new_ns->entries_lock); > + new_ns->bm_mnt = NULL; > + new_ns->entry_count = 0; > + /* ensure new_ns is completely initialized before sharing it */ > + smp_wmb(); > + WRITE_ONCE(ns->binfmt_ns, new_ns); > + } You're still not preventing a concurrent race of two mount() calls, right? What prevents two instances of this code block from running concurrently in two different namespaces? I think you want to take some sort of global lock around this.