From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751288AbcIAFM6 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 1 Sep 2016 01:12:58 -0400
Received: from h2.hallyn.com ([78.46.35.8]:35142 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750840AbcIAFM4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Sep 2016 01:12:56 -0400
Date: Thu, 1 Sep 2016 00:12:54 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andrey Vagin <avagin@openvz.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        Linux API <linux-api@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Subject: Re: [PATCH 1/4] kernel: add a helper to get an owning user namespace
 for a namespace
Message-ID: <20160901051254.GA5893@mail.hallyn.com>
References: <1472252891-4963-1-git-send-email-avagin@openvz.org>
 <1472252891-4963-2-git-send-email-avagin@openvz.org>
 <20160831025605.GA21788@mail.hallyn.com>
 <CANaxB-zz=tnCSFMsHuGbmhiHa20DGbybWo=xdeeiDwJyoMxmYQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CANaxB-zz=tnCSFMsHuGbmhiHa20DGbybWo=xdeeiDwJyoMxmYQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Aug 31, 2016 at 01:38:35PM -0700, Andrey Vagin wrote:
> On Tue, Aug 30, 2016 at 7:56 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > On Fri, Aug 26, 2016 at 04:08:08PM -0700, Andrei Vagin wrote:
> >> +struct ns_common *ns_get_owner(struct ns_common *ns)
> >> +{
> >> +     struct user_namespace *my_user_ns = current_user_ns();
> >> +     struct user_namespace *owner, *p;
> >> +
> >> +     /* See if the owner is in the current user namespace */
> >> +     owner = p = ns->ops->get_owner(ns);
> >> +     for (;;) {
> >> +             if (!p)
> >> +                     return ERR_PTR(-EPERM);
> >> +             if (p == my_user_ns)
> >> +                     break;
> >> +             p = p->parent;
> >> +     }
> >> +
> >> +     return &get_user_ns(owner)->ns;
> >
> > get_user_ns() bumps the owner's refcount.  I don't see where
> > this is being dropped, especially when ns_ioctl() uses it in
> > the next patch.
> 
> It is dropped in __ns_get_path if a namespace has a dentry, otherwise
> it is dropped from nsfs_evict.
> 
> static void *__ns_get_path(struct path *path, struct ns_common *ns)
>         |                return -EPERM;
> ...
>         ns->ops->put(ns);                                                      |
> got_it:
>         |        /* See if the owner is in the current user namespace
> */
>         path->mnt = mnt;
>         |        owner = p = ns->ops->get_owner(ns);
>         path->dentry = dentry;
>         |        for (;;) {
>         return NULL;
> ...
> 
> static void nsfs_evict(struct inode *inode)                                    |
> {
>         |        if (!ns_capable(user_ns, CAP_SYS_ADMIN))
>         struct ns_common *ns = inode->i_private;
>         |                return -EPERM;
>         clear_inode(inode);                                                    |
>         ns->ops->put(ns);
>         |        cred = prepare_creds();
> }

Gotcha, thanks.