1. 19 11月, 2012 5 次提交
    • E
      pidns: Don't allow new processes in a dead pid namespace. · 5e1182de
      Eric W. Biederman 提交于
      Set nr_hashed to -1 just before we schedule the work to cleanup proc.
      Test nr_hashed just before we hash a new pid and if nr_hashed is < 0
      fail.
      
      This guaranteees that processes never enter a pid namespaces after we
      have cleaned up the state to support processes in a pid namespace.
      
      Currently sending SIGKILL to all of the process in a pid namespace as
      init exists gives us this guarantee but we need something a little
      stronger to support unsharing and joining a pid namespace.
      Acked-by: N"Serge E. Hallyn" <serge@hallyn.com>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      5e1182de
    • E
      pidns: Make the pidns proc mount/umount logic obvious. · 0a01f2cc
      Eric W. Biederman 提交于
      Track the number of pids in the proc hash table.  When the number of
      pids goes to 0 schedule work to unmount the kernel mount of proc.
      
      Move the mount of proc into alloc_pid when we allocate the pid for
      init.
      
      Remove the surprising calls of pid_ns_release proc in fork and
      proc_flush_task.  Those code paths really shouldn't know about proc
      namespace implementation details and people have demonstrated several
      times that finding and understanding those code paths is difficult and
      non-obvious.
      
      Because of the call path detach pid is alwasy called with the
      rtnl_lock held free_pid is not allowed to sleep, so the work to
      unmounting proc is moved to a work queue.  This has the side benefit
      of not blocking the entire world waiting for the unnecessary
      rcu_barrier in deactivate_locked_super.
      
      In the process of making the code clear and obvious this fixes a bug
      reported by Gao feng <gaofeng@cn.fujitsu.com> where we would leak a
      mount of proc during clone(CLONE_NEWPID|CLONE_NEWNET) if copy_pid_ns
      succeeded and copy_net_ns failed.
      Acked-by: N"Serge E. Hallyn" <serge@hallyn.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      0a01f2cc
    • E
      pidns: Use task_active_pid_ns where appropriate · 17cf22c3
      Eric W. Biederman 提交于
      The expressions tsk->nsproxy->pid_ns and task_active_pid_ns
      aka ns_of_pid(task_pid(tsk)) should have the same number of
      cache line misses with the practical difference that
      ns_of_pid(task_pid(tsk)) is released later in a processes life.
      
      Furthermore by using task_active_pid_ns it becomes trivial
      to write an unshare implementation for the the pid namespace.
      
      So I have used task_active_pid_ns everywhere I can.
      
      In fork since the pid has not yet been attached to the
      process I use ns_of_pid, to achieve the same effect.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      17cf22c3
    • E
      pidns: Capture the user namespace and filter ns_last_pid · 49f4d8b9
      Eric W. Biederman 提交于
      - Capture the the user namespace that creates the pid namespace
      - Use that user namespace to test if it is ok to write to
        /proc/sys/kernel/ns_last_pid.
      
      Zhao Hongjiang <zhaohongjiang@huawei.com> noticed I was missing a put_user_ns
      in when destroying a pid_ns.  I have foloded his patch into this one
      so that bisects will work properly.
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      49f4d8b9
    • E
      userns: make each net (net_ns) belong to a user_ns · 038e7332
      Eric W. Biederman 提交于
      The user namespace which creates a new network namespace owns that
      namespace and all resources created in it.  This way we can target
      capability checks for privileged operations against network resources to
      the user_ns which created the network namespace in which the resource
      lives.  Privilege to the user namespace which owns the network
      namespace, or any parent user namespace thereof, provides the same
      privilege to the network resource.
      
      This patch is reworked from a version originally by
      Serge E. Hallyn <serge.hallyn@canonical.com>
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      038e7332
  2. 26 10月, 2012 2 次提交
    • H
      Makefile: Documentation for external tool should be correct · 2008713c
      H. Peter Anvin 提交于
      If one includes documentation for an external tool, it should be
      correct.  This is not:
      
      1. Overriding the input to rngd should typically be neither
         necessary nor desired.  This is especially so since newer
         versions of rngd support a number of different *types* of sources.
      2. The default kernel-exported device is called /dev/hwrng not
         /dev/hwrandom nor /dev/hw_random (both of which were used in the
         past; however, kernel and udev seem to have converged on
         /dev/hwrng.)
      
      Overall it is better if the documentation for rngd is kept with rngd
      rather than in a kernel Makefile.
      Signed-off-by: NH. Peter Anvin <hpa@linux.intel.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Jeff Garzik <jgarzik@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2008713c
    • A
      pidns: limit the nesting depth of pid namespaces · f2302505
      Andrew Vagin 提交于
      'struct pid' is a "variable sized struct" - a header with an array of
      upids at the end.
      
      The size of the array depends on a level (depth) of pid namespaces.  Now a
      level of pidns is not limited, so 'struct pid' can be more than one page.
      
      Looks reasonable, that it should be less than a page.  MAX_PIS_NS_LEVEL is
      not calculated from PAGE_SIZE, because in this case it depends on
      architectures, config options and it will be reduced, if someone adds a
      new fields in struct pid or struct upid.
      
      I suggest to set MAX_PIS_NS_LEVEL = 32, because it saves ability to expand
      "struct pid" and it's more than enough for all known for me use-cases.
      When someone finds a reasonable use case, we can add a config option or a
      sysctl parameter.
      
      In addition it will reduce the effect of another problem, when we have
      many nested namespaces and the oldest one starts dying.
      zap_pid_ns_processe will be called for each namespace and find_vpid will
      be called for each process in a namespace.  find_vpid will be called
      minimum max_level^2 / 2 times.  The reason of that is that when we found a
      bit in pidmap, we can't determine this pidns is top for this process or it
      isn't.
      
      vpid is a heavy operation, so a fork bomb, which create many nested
      namespace, can make a system inaccessible for a long time.  For example my
      system becomes inaccessible for a few minutes with 4000 processes.
      
      [akpm@linux-foundation.org: return -EINVAL in response to excessive nesting, not -ENOMEM]
      Signed-off-by: NAndrew Vagin <avagin@openvz.org>
      Acked-by: NOleg Nesterov <oleg@redhat.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f2302505
  3. 25 10月, 2012 1 次提交
  4. 22 10月, 2012 1 次提交
  5. 20 10月, 2012 6 次提交
  6. 17 10月, 2012 2 次提交
  7. 13 10月, 2012 5 次提交
    • J
      audit: make audit_inode take struct filename · adb5c247
      Jeff Layton 提交于
      Keep a pointer to the audit_names "slot" in struct filename.
      
      Have all of the audit_inode callers pass a struct filename ponter to
      audit_inode instead of a string pointer. If the aname field is already
      populated, then we can skip walking the list altogether and just use it
      directly.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      adb5c247
    • J
      vfs: make path_openat take a struct filename pointer · 669abf4e
      Jeff Layton 提交于
      ...and fix up the callers. For do_file_open_root, just declare a
      struct filename on the stack and fill out the .name field. For
      do_filp_open, make it also take a struct filename pointer, and fix up its
      callers to call it appropriately.
      
      For filp_open, add a variant that takes a struct filename pointer and turn
      filp_open into a wrapper around it.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      669abf4e
    • J
      audit: allow audit code to satisfy getname requests from its names_list · 7ac86265
      Jeff Layton 提交于
      Currently, if we call getname() on a userland string more than once,
      we'll get multiple copies of the string and multiple audit_names
      records.
      
      Add a function that will allow the audit_names code to satisfy getname
      requests using info from the audit_names list, avoiding a new allocation
      and audit_names records.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      7ac86265
    • J
      vfs: define struct filename and have getname() return it · 91a27b2a
      Jeff Layton 提交于
      getname() is intended to copy pathname strings from userspace into a
      kernel buffer. The result is just a string in kernel space. It would
      however be quite helpful to be able to attach some ancillary info to
      the string.
      
      For instance, we could attach some audit-related info to reduce the
      amount of audit-related processing needed. When auditing is enabled,
      we could also call getname() on the string more than once and not
      need to recopy it from userspace.
      
      This patchset converts the getname()/putname() interfaces to return
      a struct instead of a string. For now, the struct just tracks the
      string in kernel space and the original userland pointer for it.
      
      Later, we'll add other information to the struct as it becomes
      convenient.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      91a27b2a
    • A
      infrastructure for saner ret_from_kernel_thread semantics · a74fb73c
      Al Viro 提交于
      * allow kernel_execve() leave the actual return to userland to
      caller (selected by CONFIG_GENERIC_KERNEL_EXECVE).  Callers
      updated accordingly.
      * architecture that does select GENERIC_KERNEL_EXECVE in its
      Kconfig should have its ret_from_kernel_thread() do this:
      	call schedule_tail
      	call the callback left for it by copy_thread(); if it ever
      returns, that's because it has just done successful kernel_execve()
      	jump to return from syscall
      IOW, its only difference from ret_from_fork() is that it does call the
      callback.
      * such an architecture should also get rid of ret_from_kernel_execve()
      and __ARCH_WANT_KERNEL_EXECVE
      
      This is the last part of infrastructure patches in that area - from
      that point on work on different architectures can live independently.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a74fb73c
  8. 12 10月, 2012 15 次提交
  9. 10 10月, 2012 3 次提交