Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751881AbdFFTTo (ORCPT <rfc822;w@1wt.eu>);
        Tue, 6 Jun 2017 15:19:44 -0400
Received: from out03.mta.xmission.com ([166.70.13.233]:59227 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751522AbdFFTTl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Jun 2017 15:19:41 -0400
From: "Eric W. Biederman" <ebiederm@xmission.com>
To: linux-kernel@vger.kernel.org
Cc: linux-api@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>, Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Kees Cook <keescook@chromium.org>,
        Roland McGrath <roland@hack.frob.com>,
        Al Viro <viro@ZenIV.linux.org.uk>, David Howells <dhowells@redhat.com>,
        "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Date: Tue,  6 Jun 2017 14:03:38 -0500
Message-Id: <20170606190338.28347-26-ebiederm@xmission.com>
X-Mailer: git-send-email 2.10.1
In-Reply-To: <20170606190338.28347-1-ebiederm@xmission.com>
References: <877f0pym71.fsf@xmission.com>
 <20170606190338.28347-1-ebiederm@xmission.com>
X-XM-SPF: eid=1dIJwB-0006wd-UH;;;mid=<20170606190338.28347-26-ebiederm@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.121.81.159;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+W0I8BSCk9F3eAqWNk5fAqsyub7XuCC/M=
X-SA-Exim-Connect-IP: 97.121.81.159
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.7 XMSubLong Long Subject
        *  0.5 XMGappySubj_01 Very gappy subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa02 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;linux-kernel@vger.kernel.org
X-Spam-Relay-Country: 
X-Spam-Timing: total 5559 ms - load_scoreonly_sql: 0.08 (0.0%),
        signal_user_changed: 3.2 (0.1%), b_tie_ro: 2.1 (0.0%), parse: 1.27 (0.0%),
        extract_message_metadata: 26 (0.5%), get_uri_detail_list: 3.0 (0.1%),
        tests_pri_-1000: 11 (0.2%), tests_pri_-950: 2.2 (0.0%), tests_pri_-900: 1.78
        (0.0%), tests_pri_-400: 36 (0.6%), check_bayes: 34 (0.6%), b_tokenize: 13
        (0.2%), b_tok_get_all: 10 (0.2%), b_comp_prob: 4.2 (0.1%), b_tok_touch_all:
        2.8 (0.1%), b_finish: 0.76 (0.0%), tests_pri_0: 471 (8.5%),
        check_dkim_signature: 1.03 (0.0%), check_dkim_adsp: 4.8 (0.1%),
        tests_pri_500: 5001 (90.0%), poll_dns_idle: 4992 (89.8%), rewrite_mail: 0.00
        (0.0%)
Subject: [PATCH 26/26] pidns: Ensure zap_pid_ns_processes always terminates
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2225
Lines: 57

The function zap_pid_processes terminates when the number of pids used
by processes in a pid namespace drops to just those pids used by the
last thread of the dying thread.

Don't allow an init process aka a child_reaper to call
setpgid(0, some_other_processes_pid).  That case is already broken today
as it would result in a pid namespace that will hang when the thread group
leader dies.  Thankfully I have not received that bug report so it
appears that no one cares and uses that case.

Limiting setpgid ensures that the only two pids in the pid namespace
on the init process that are worth worrying about are the pid and the
tgid.  The pgrp will now either match the tgid or it will be from
outside the pid namespace.  Likewise the sid will either match the
tgid or be from outside the pid namespace.

To make it clear what is being counted test if the task's tgid is the same
as the the task's pid.  In particular the code does not count the
number of processes in a pid namespace, just the number of pids those
processes use.  A subtle but important distinction for understanding
the code.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 kernel/pid_namespace.c | 2 +-
 kernel/sys.c           | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 74a5a7255b4d..bdda73768cc0 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -208,7 +208,7 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns)
 	int nr;
 	int rc;
 	struct task_struct *task, *me = current;
-	int init_pids = thread_group_leader(me) ? 1 : 2;
+	int init_pids = task_pid(me) != task_tgid(me) ? 2 : 1;
 
 	/* Don't allow any more processes into the pid namespace */
 	disable_pid_allocation(pid_ns);
diff --git a/kernel/sys.c b/kernel/sys.c
index 705f14b28134..775dea1e2e06 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -975,7 +975,8 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid)
 
 		pgrp = find_vpid(pgid);
 		g = pid_task(pgrp, PIDTYPE_PGID);
-		if (!g || task_session(g) != task_session(group_leader))
+		if (!g || task_session(g) != task_session(group_leader) ||
+		    is_child_reaper(task_tgid(p)))
 			goto out;
 	}
 
-- 
2.10.1