lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20231011065446.53034-1-cuiyunhui@bytedance.com>
Date:   Wed, 11 Oct 2023 14:54:46 +0800
From:   Yunhui Cui <cuiyunhui@...edance.com>
To:     akpm@...ux-foundation.org, keescook@...omium.org,
        brauner@...nel.org, jeffxu@...gle.com, frederic@...nel.org,
        mcgrof@...nel.org, cyphar@...har.com, cuiyunhui@...edance.com,
        rongtao@...tc.cn, linux-kernel@...r.kernel.org
Subject: [PATCH] pid_ns: support pidns switching between sibling

In the scenario of container acceleration, when a target pstree
is cloned from a temp pstree, we hope that the cloned process is
inherently in the target's pid namespace.
Examples of what we expected:

/* switch to target ns first. */
setns(target_ns, CLONE_NEWPID);
if(!fork()) {
/* Child */
...
}
/* switch back */
setns(temp_ns, CLONE_NEWPID);

However, it is limited by the existing implementation, CAP_SYS_ADMIN
has been checked in pidns_install(), so remove the limitation that only
by traversing parent can switch pidns.

Signed-off-by: Yunhui Cui <cuiyunhui@...edance.com>
---
 kernel/pid_namespace.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 3028b2218aa4..774db1f268f1 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -389,7 +389,7 @@ static int pidns_install(struct nsset *nsset, struct ns_common *ns)
 {
 	struct nsproxy *nsproxy = nsset->nsproxy;
 	struct pid_namespace *active = task_active_pid_ns(current);
-	struct pid_namespace *ancestor, *new = to_pid_ns(ns);
+	struct pid_namespace *new = to_pid_ns(ns);
 
 	if (!ns_capable(new->user_ns, CAP_SYS_ADMIN) ||
 	    !ns_capable(nsset->cred->user_ns, CAP_SYS_ADMIN))
@@ -406,12 +406,6 @@ static int pidns_install(struct nsset *nsset, struct ns_common *ns)
 	if (new->level < active->level)
 		return -EINVAL;
 
-	ancestor = new;
-	while (ancestor->level > active->level)
-		ancestor = ancestor->parent;
-	if (ancestor != active)
-		return -EINVAL;
-
 	put_pid_ns(nsproxy->pid_ns_for_children);
 	nsproxy->pid_ns_for_children = get_pid_ns(new);
 	return 0;
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ