lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 24 Jan 2017 07:21:11 +1300
From: (Eric W. Biederman)
To:     Oleg Nesterov <>
Cc:     Pavel Tikhomirov <>,
        Lennart Poettering <>,
        Kay Sievers <>,
        Ingo Molnar <>,
        Peter Zijlstra <>,
        Andrew Morton <>,
        Cyrill Gorcunov <>,
        John Stultz <>,
        Thomas Gleixner <>,
        Nicolas Pitre <>,
        Michal Hocko <>,
        Stanislav Kinsburskiy <>,
        Mateusz Guzik <>,,
        Pavel Emelyanov <>,
        Konstantin Khorenko <>
Subject: Re: setns() && PR_SET_CHILD_SUBREAPER

Oleg Nesterov <> writes:

> And this discussion reminds me again that I do not understand how setns()
> and PR_SET_CHILD_SUBREAPER should play together... Add cc's.

I agree that they are currently playing together incorrectly.

> Suppose we have a process P in the root namespace and another namespace X.
> P does setns() and enters the X namespace.
> P forks a child C.
> C forks a grandchild G.
> C exits.
> The question is, where should we reparent the grandchild G? In the normal
> case it will be reparented to X->child_reaper and this looks correct.
> But lets suppose that P runs with the ->has_child_subreaper bit set. In
> this case it will be reparented to P's sub-reaper or a global init, and
> given that P can't control its ->has_child_subreaper flag this does not
> look right to me.
> I can make a simple patch but perhaps I missed something or we actually
> want this (imo strange) behaviour?

We definitely do not want a child to be repareted out of a pid namespace
when the pid namespace has a perfectly fine child_reaper.

The special case for the init_task in find_new_reaper appears to be the
instance of this problem that was considered in the code.

Given the semantics described and asked for of PR_SET_CHILD_SUBREAPER I
believe has_child_subreaper needs to be strictly considered an
implementation detail and any way that userspace can observe it a bug in
the code.

Semantically what we want to do is walk up the parents in the process
tree.  If a parent has is_child_subreaper we stop at it.  If the
transition from one parent to the next we are switching pid namespaces
we want the reaper from the pid namespace.

As I recall has_child_subreaper was just supposed to be an optimization
so the common case would not have to walk up the process tree when
finding it's parent.

If we retain any optimizations such as has_child_subreaper please
consider the case where a process with is_child_subreaper set exits,
and what happens to it's children.


Powered by blists - more mailing lists