From: ebiederm@xmission.com (Eric W. Biederman)
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>, viro@zeniv.linux.org.uk,
        serge.hallyn@canonical.com, jlayton@redhat.com,
        lucas.demarchi@profusion.mobi, rusty@rustcorp.com.au,
        linux-kernel@vger.kernel.org, oleg@redhat.com, bharrosh@panasas.com,
        linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org,
        devel@openvz.org
References: <20130522072840.27720.85023.stgit@localhost.localdomain>
	<878v36ex6n.fsf@xmission.com> <87wqqqdfqr.fsf@xmission.com>
	<20130522192339.GB31069@fieldses.org>
Date: Wed, 22 May 2013 20:37:23 -0700
In-Reply-To: <20130522192339.GB31069@fieldses.org> (J. Bruce Fields's message
	of "Wed, 22 May 2013 15:23:39 -0400")
Message-ID: <87vc6abc3w.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [RFC PATCH] fs: call_usermodehelper_root helper introduced
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2419
Lines: 52

"J. Bruce Fields" <bfields@fieldses.org> writes:

> On Wed, May 22, 2013 at 11:35:56AM -0700, Eric W. Biederman wrote:
>> ebiederm@xmission.com (Eric W. Biederman) writes:
>> 
>> > I am missing a lot of context here and capturing the context of a
>> > process at time time we mount the filesystem and reconstituing it in
>> > call user mode helper seems like something we could do.
>
> So it's not enough just to ensure that the user namespace is set
> correctly?  (To the namespace of the mount process in the nfs case, or
> of the process that starts nfsd in the nfsd case.)

No.  By just setting the user namespace, you gain the ability to create
processes outside of your curremt rlimits, and cgroups, and pid
namespace, etc.

With the wrong set of namespaces you will talk to the wrong processes,
or utilize the wrong resources.

Outside of your current cgroup you gain the ability to use more
resources than you were limited to.

Having thought about it what I would propose is to fork a process from
the context of the mounting process (or possibly from the context of the
process that writes to the sysctl that sets the program to spawn) and
have that process be a daemon that becomes responsible for spawning user
mode helpers with context.  Either that or whe need the user mode helper
userspace infrastructure to become namespace aware and call setns.

>> If we want to do something like this the only sane thing I can see is to
>> have a per container version of kthread call it uthread.  That the user
>> mode helper code would use to launch a new process.
>> 
>> Anything else and I expect we will be tearing our hair out for the rest
>> of our lives with weird corner cases or unexpected semantics.
>
> Could you give examples of weird corner cases or unexpected semantics?

I gave a couple and it is the classic problem with suid executables
where a lot of unexpected things are inherited from the environment, and
so things become a never ending race.  We replaced daemonize in the
kernel with just forking processes from kthreadd for this very reason.
There was always something else that needed to be reset to make a
process a proper kernel thread.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/