| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20081222194737.GC9085@us.ibm.com> Date: Mon, 22 Dec 2008 11:47:37 -0800 From: Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: oleg@...hat.com, roland@...hat.com, bastian@...di.eu.org, daniel@...ac.com, xemul@...nvz.org, containers@...ts.osdl.org, linux-kernel@...r.kernel.org, sukadev@...ibm.com Subject: Re: [RFC][PATCH 0/6][v3] Container-init signal semantics Eric W. Biederman [ebiederm@...ssion.com] wrote: | Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com> writes: | | > This patchset implements the design/simplified semantics suggested by | > Oleg Nesterov. The simplified semantics for container-init are: | > | > - container-init must never be terminated by a signal from a | > descendant process. | > | > - container-init must never be immune to SIGKILL from an ancestor | > namespace (so a process in parent namespace must always be able | > to terminate a descendant container). | > | > - container-init may be immune to unhandled fatal signals (like | > SIGUSR1) even if they are from ancestor namespace (SIGKILL is | > the only reliable signal from ancestor namespace). | | It sounds you are still struggling to get something that works and gets | done what needs to be done. So let me suggest a simplified semantic that | should be easier to implement and test, and solves the biggest problem | that we must solve in the kernel. | | - container-init ignores SIGKILL and SIGSTOP. Yes. | | - container-init is responsible for setting the rest of the signals | to SIG_IGN. Oleg pointed out that we could drop SIG_DFL signals to global init early to ensure wait_for_completion_killable/lock_page_killable don't incorrectly believe that a fatal signal is pending. (patch 2/6). If that patch is valid regardless of containers, it would be a minor extension to get container-inits to drop SIG_DFL signals too, right ? So the bigger problem/unknown for me is the sig_from_user() in patch 4/6 (i.e determining if it safe to deref the pid-ns of sender). We went from !in_interrupt() to the SIG_FROM_USER flag to this. If that is correct, I am hoping it would come down to opitmizing the code if possible (eg: can/should we avoid passing same_ns into sig_ignored() There is probably some ugliness :-) but do you see any other correctness issues ? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists