* [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context
@ 2018-08-16 7:34 Andrei Vagin
2018-08-16 22:16 ` Andrei Vagin
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Andrei Vagin @ 2018-08-16 7:34 UTC (permalink / raw)
To: David Howells; +Cc: linux-fsdevel, Andrei Vagin, Andrei Vagin
A user namespace should be taken from a pidns for which a procfs is created.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
fs/proc/root.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/proc/root.c b/fs/proc/root.c
index 1d6e5bfa30cc..1419b48a89ab 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
if (IS_ERR(fc))
return PTR_ERR(fc);
+ if (fc->user_ns != ns->user_ns) {
+ put_user_ns(fc->user_ns);
+ fc->user_ns = get_user_ns(ns->user_ns);
+ }
+
ctx = fc->fs_private;
if (ctx->pid_ns != ns) {
put_pid_ns(ctx->pid_ns);
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context
2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin
@ 2018-08-16 22:16 ` Andrei Vagin
2018-08-21 7:33 ` David Howells
2018-08-21 7:39 ` David Howells
2 siblings, 0 replies; 4+ messages in thread
From: Andrei Vagin @ 2018-08-16 22:16 UTC (permalink / raw)
To: David Howells; +Cc: linux-fsdevel
Hi David,
I reported this problem about a month ago when patches were not in the
linux-next. Now they are there and we can't run CRIU tests, because it
is impossible to mount /proc in a container.
[root@fc24 ~]# strace unshare -Urnm --mount-proc true
unshare(CLONE_NEWNS|CLONE_NEWNET|CLONE_NEWUSER) = 0
openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
write(3, "deny", 4) = 4
close(3) = 0
openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY) = 3
write(3, "0 0 1", 5) = 5
close(3) = 0
openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY) = 3
write(3, "0 0 1", 5) = 5
close(3) = 0
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("none", "/proc", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) =
-1 EBUSY (Device or resource busy)
https://travis-ci.org/avagin/linux/jobs/416641093
Thanks,
Andrei
On Thu, Aug 16, 2018 at 12:34 AM Andrei Vagin <avagin@openvz.org> wrote:
>
> A user namespace should be taken from a pidns for which a procfs is created.
>
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
> fs/proc/root.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 1d6e5bfa30cc..1419b48a89ab 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
> if (IS_ERR(fc))
> return PTR_ERR(fc);
>
> + if (fc->user_ns != ns->user_ns) {
> + put_user_ns(fc->user_ns);
> + fc->user_ns = get_user_ns(ns->user_ns);
> + }
> +
> ctx = fc->fs_private;
> if (ctx->pid_ns != ns) {
> put_pid_ns(ctx->pid_ns);
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context
2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin
2018-08-16 22:16 ` Andrei Vagin
@ 2018-08-21 7:33 ` David Howells
2018-08-21 7:39 ` David Howells
2 siblings, 0 replies; 4+ messages in thread
From: David Howells @ 2018-08-21 7:33 UTC (permalink / raw)
To: Andrei Vagin
Cc: dhowells, linux-fsdevel, Andrei Vagin, Eric Biederman, Alexander Viro
Andrei Vagin <avagin@openvz.org> wrote:
> A user namespace should be taken from a pidns for which a procfs is created.
That would seem wrong. Shouldn't the superblock user_ns be from the mounter?
Adding Al and Eric to the list to get their opinion.
David
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
> fs/proc/root.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 1d6e5bfa30cc..1419b48a89ab 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
> if (IS_ERR(fc))
> return PTR_ERR(fc);
>
> + if (fc->user_ns != ns->user_ns) {
> + put_user_ns(fc->user_ns);
> + fc->user_ns = get_user_ns(ns->user_ns);
> + }
> +
> ctx = fc->fs_private;
> if (ctx->pid_ns != ns) {
> put_pid_ns(ctx->pid_ns);
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context
2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin
2018-08-16 22:16 ` Andrei Vagin
2018-08-21 7:33 ` David Howells
@ 2018-08-21 7:39 ` David Howells
2 siblings, 0 replies; 4+ messages in thread
From: David Howells @ 2018-08-21 7:39 UTC (permalink / raw)
Cc: dhowells, Andrei Vagin, linux-fsdevel, Andrei Vagin,
Eric Biederman, Alexander Viro
David Howells <dhowells@redhat.com> wrote:
> > A user namespace should be taken from a pidns for which a procfs is created.
>
> That would seem wrong. Shouldn't the superblock user_ns be from the mounter?
Ah, no. The change is correct. What the patch description doesn't mention is
that this is when a new pid namespace is setting up its own proc filesystem.
I'll change the subject and patch body to:
proc: Set correct userns for new proc super created by a new pid_namespace
Fix the setting up a new proc superblock for a new pid_namespace such that
the user_ns for that proc superblock needs to be taken from the new
pid_namespace and not the active process.
which I think describes it better.
David
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-08-21 10:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-16 7:34 [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context Andrei Vagin
2018-08-16 22:16 ` Andrei Vagin
2018-08-21 7:33 ` David Howells
2018-08-21 7:39 ` David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).