From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752083AbcFFMGH (ORCPT <rfc822;w@1wt.eu>);
	Mon, 6 Jun 2016 08:06:07 -0400
Received: from cn.fujitsu.com ([59.151.112.132]:24587 "EHLO
	heian.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751488AbcFFMGE (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 6 Jun 2016 08:06:04 -0400
X-IronPort-AV: E=Sophos;i="5.22,518,1449504000"; 
   d="scan'208";a="7407293"
From: Zhao Lei <zhaolei@cn.fujitsu.com>
To: <linux-kernel@vger.kernel.org>
CC: <containers@lists.linux-foundation.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Mateusz Guzik <mguzik@redhat.com>,
        Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
        Zhao Lei <zhaolei@cn.fujitsu.com>
Subject: [PATCH 3/3] Write dump into container's filesystem for pipe_type core_pattern
Date: Mon, 6 Jun 2016 20:02:10 +0800
Message-ID: <2585183a0558b8fcc4e26c2d170d710355fd42ff.1465214472.git.zhaolei@cn.fujitsu.com>
X-Mailer: git-send-email 1.8.5.1
In-Reply-To: <cover.1465214472.git.zhaolei@cn.fujitsu.com>
References: <cover.1465214472.git.zhaolei@cn.fujitsu.com>
MIME-Version: 1.0
Content-Type: text/plain
X-yoursite-MailScanner-ID: 774BC41C0B95.A7243
X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-From: zhaolei@cn.fujitsu.com
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In current system, when we set core_pattern to a pipe, both pipe program
and program's output are in host's filesystem.
But when we set core_pattern to a file, the container will write dump
into container's filesystem.

For example, when we set following core_pattern:
 # echo "|/my_dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern
and trigger a segment fault in a container, my_dump_pipe is searched from
host's filesystem, and it will write coredump into host's filesystem too.

In a privileged container, user can destroy host system by following
command:
 # # In a container
 # echo "|/bin/dd of=/boot/vmlinuz" >/proc/sys/kernel/core_pattern
 # make_dump

Actually, all operation in a container should not change host's
environment, the container should use core_pattern as its private setting.
In detail, in core dump action:
1: Search pipe program in container's fs namespace.
2: Run pipe program in container's fs namespace to write coredump to it.

This patch fixed above problem by running pipe program with container's
fs_root.

Test:
 1: do dump in host
    should have same action with current code.
    [HOST] # ulimit -c 1024000
    [HOST] # rm -f /tmp/*dump*
    [HOST] # echo "|/dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern
    [HOST] # ./make_dump
    [HOST] Segmentation fault (core dumped)
    [HOST] # ls -l /tmp/*dump*  # Should see host_dump_*.
    [HOST] -rw-r--r-- 1 root root 331776 Apr 15 18:01 /tmp/host_dump_11_1048576000_2356_0_0_1460714470
 2: do dump after change core_pattern in container
    the container should write dump into its filesystem.
    [HOST] # rm -f /tmp/*dump*
    [HOST] # echo "|/dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern
    [HOST] # lxc-start -n vm_dumptest
    [GUEST]Please press Enter to activate this console.
    [GUEST]# ulimit -c 1024000
    [GUEST]# rm -f /tmp/*dump*
    [GUEST]# echo "|/dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern
    [GUEST]# ./make_dump
    [GUEST]Segmentation fault (core dumped)
    [GUEST]# ls -l /tmp/*dump*  # Should see guest_dump_*
    [GUEST]-rw-r--r--    1 root     root       331776 Apr 15 10:01 /tmp/guest_dump_11_524288000_12_0_0_1460714482
 3: do dump without change core_pattern in container
    the container should write dump into host's filesystem to keep compatibility.
    [HOST] # rm -f /tmp/*dump*
    [HOST] # echo "|/dump_pipe %s %c %p %u %g %t e" >/proc/sys/kernel/core_pattern
    [HOST] # lxc-start -n vm_dumptest
    [GUEST]Please press Enter to activate this console.
    [GUEST]# ulimit -c 1024000
    [GUEST]# rm -f /tmp/*dump*
    [GUEST]# ./make_dump
    [GUEST]Segmentation fault (core dumped)
    [GUEST]# ls -l /tmp/*dump*  # Should not see dump file
    [GUEST]ls: /tmp/*dump*: No such file or directory
    [HOST] # ls -l /tmp/*dump*  # Should see dump file
    [HOST] -rw-r--r-- 1 root root 331776 Apr 15 18:01 /tmp/host_dump_11_524288000_12_0_0_1460714516

Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
---
 fs/coredump.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/fs/coredump.c b/fs/coredump.c
index 864985e..4616a25 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -592,6 +592,8 @@ void do_coredump(const siginfo_t *siginfo)
 		int dump_count;
 		char **helper_argv;
 		struct subprocess_info *sub_info;
+		struct pid_namespace *pid_ns;
+		struct path root_fs;
 
 		if (ispipe < 0) {
 			printk(KERN_WARNING "format_corename failed\n");
@@ -638,15 +640,29 @@ void do_coredump(const siginfo_t *siginfo)
 			goto fail_dropcount;
 		}
 
+		pid_ns = task_active_pid_ns(current);
+		spin_lock(&pid_ns->root_for_dump_lock);
+		while (pid_ns != &init_pid_ns) {
+			if (pid_ns->root_for_dump.mnt)
+				break;
+			spin_unlock(&pid_ns->root_for_dump_lock);
+			pid_ns = pid_ns->parent,
+			spin_lock(&pid_ns->root_for_dump_lock);
+		}
+		root_fs = pid_ns->root_for_dump;
+		path_get(&root_fs);
+		spin_unlock(&pid_ns->root_for_dump_lock);
+
 		retval = -ENOMEM;
 		sub_info = call_usermodehelper_setup(helper_argv[0],
 						helper_argv, NULL, GFP_KERNEL,
 						umh_pipe_setup, NULL, &cprm,
-						NULL);
+						&root_fs);
 		if (sub_info)
 			retval = call_usermodehelper_exec(sub_info,
 							  UMH_WAIT_EXEC);
 
+		path_put(&root_fs);
 		argv_free(helper_argv);
 		if (retval) {
 			printk(KERN_INFO "Core dump to |%s pipe failed\n",
-- 
1.8.5.1