[PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context

[PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context

[Andrei Vagin]

A user namespace should be taken from a pidns for which a procfs is created.

Signed-off-by: Andrei Vagin <avagin@gmail.com>
---
 fs/proc/root.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/proc/root.c b/fs/proc/root.c
index 1d6e5bfa30cc..1419b48a89ab 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
 	if (IS_ERR(fc))
 		return PTR_ERR(fc);
 
+	if (fc->user_ns != ns->user_ns) {
+		put_user_ns(fc->user_ns);
+		fc->user_ns = get_user_ns(ns->user_ns);
+	}
+
 	ctx = fc->fs_private;
 	if (ctx->pid_ns != ns) {
 		put_pid_ns(ctx->pid_ns);
-- 
2.17.1

Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context

[Andrei Vagin]

Hi David,

I reported this problem about a month ago when patches were not in the
linux-next. Now they are there and we can't run CRIU tests, because it
is impossible to mount /proc in a container.

[root@fc24 ~]# strace unshare -Urnm --mount-proc true

unshare(CLONE_NEWNS|CLONE_NEWNET|CLONE_NEWUSER) = 0
openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
write(3, "deny", 4)                     = 4
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY) = 3
write(3, "0 0 1", 5)                    = 5
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY) = 3
write(3, "0 0 1", 5)                    = 5
close(3)                                = 0
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("none", "/proc", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) =
-1 EBUSY (Device or resource busy)

https://travis-ci.org/avagin/linux/jobs/416641093

Thanks,
Andrei
On Thu, Aug 16, 2018 at 12:34 AM Andrei Vagin <avagin@openvz.org> wrote:
>
> A user namespace should be taken from a pidns for which a procfs is created.
>
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
>  fs/proc/root.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 1d6e5bfa30cc..1419b48a89ab 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
>         if (IS_ERR(fc))
>                 return PTR_ERR(fc);
>
> +       if (fc->user_ns != ns->user_ns) {
> +               put_user_ns(fc->user_ns);
> +               fc->user_ns = get_user_ns(ns->user_ns);
> +       }
> +
>         ctx = fc->fs_private;
>         if (ctx->pid_ns != ns) {
>                 put_pid_ns(ctx->pid_ns);
> --
> 2.17.1
>

Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context

[David Howells]

Andrei Vagin <avagin@openvz.org> wrote:

> A user namespace should be taken from a pidns for which a procfs is created.

That would seem wrong.  Shouldn't the superblock user_ns be from the mounter?

Adding Al and Eric to the list to get their opinion.

David

> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
>  fs/proc/root.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 1d6e5bfa30cc..1419b48a89ab 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
>  	if (IS_ERR(fc))
>  		return PTR_ERR(fc);
>  
> +	if (fc->user_ns != ns->user_ns) {
> +		put_user_ns(fc->user_ns);
> +		fc->user_ns = get_user_ns(ns->user_ns);
> +	}
> +
>  	ctx = fc->fs_private;
>  	if (ctx->pid_ns != ns) {
>  		put_pid_ns(ctx->pid_ns);

Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context

[David Howells]

David Howells <dhowells@redhat.com> wrote:

> > A user namespace should be taken from a pidns for which a procfs is created.
> 
> That would seem wrong.  Shouldn't the superblock user_ns be from the mounter?

Ah, no.  The change is correct.  What the patch description doesn't mention is
that this is when a new pid namespace is setting up its own proc filesystem.

I'll change the subject and patch body to:

    proc: Set correct userns for new proc super created by a new pid_namespace

    Fix the setting up a new proc superblock for a new pid_namespace such that
    the user_ns for that proc superblock needs to be taken from the new
    pid_namespace and not the active process.

which I think describes it better.

David