From patchwork Mon Jun 13 06:07:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrei Vagin X-Patchwork-Id: 12879040 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E354FC43334 for ; Mon, 13 Jun 2022 06:07:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 460968D0155; Mon, 13 Jun 2022 02:07:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4106A8D0142; Mon, 13 Jun 2022 02:07:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2D7AE8D0155; Mon, 13 Jun 2022 02:07:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 1F6A68D0142 for ; Mon, 13 Jun 2022 02:07:37 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id DC90520E25 for ; Mon, 13 Jun 2022 06:07:36 +0000 (UTC) X-FDA: 79572180912.14.6055132 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by imf22.hostedemail.com (Postfix) with ESMTP id 67B4FC00A5 for ; Mon, 13 Jun 2022 06:07:36 +0000 (UTC) Received: by mail-pj1-f42.google.com with SMTP id g16-20020a17090a7d1000b001ea9f820449so3230582pjl.5 for ; Sun, 12 Jun 2022 23:07:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R2YkzI9j1jsr56lMlCtYILywTtcG8+NXvsHywe0vpm8=; b=hhvQSETcJzMWUEZQmAuklFwxKIhtykeBuDIiv8Nc4AScgy9Iu++Ff19Sk1bckffCfs pM+5xxeoLj6aMvfb+lweD1Hvty0eL73rvwI0I0KgXEAUj01prXeM+I9T52WMpgOegV5n 8Tw5EgM1q09dhE/uBZpAUmDe35xQAlbIFQAiuiJDGIBKsn6T52yCtw89phsz2ml9JfQh nBfTlSSgk0Orzqd9cWjz5VMsAPGNwzSyhIjnf5AECy+qoqymQ4iZMbEev2JE4F01Ng+L aWy5o3pk7RiH1jZV6v0IBPabPa9oreoIUMhJTembQSwIaNCq7jfyjrB6XqWlIJioIyrJ AWEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=R2YkzI9j1jsr56lMlCtYILywTtcG8+NXvsHywe0vpm8=; b=WBhjtXwN+IVKv54qE0ijcDLtZfhubVydgpaeCgjlZFn1aQ1Upyn4Txw0PUwEgLXIOd Q/GX4zHQyC7HvhdSWacKQ1RNCsivKwOP1Vevoo5Zrm0j3e2LHpX4QXfvwNsJ/gI/mBlQ gSA/4qs10Z35NW1/juErJ9KDDr+JW8TIqzF/Mw7paQvGa8Uq7SPXXkMkjValRs69GyRK TgdsSHwRw2/4BNrxhiKiMN/QQz9UA2UiZLgylthZvr+PF/QBM/URdXSxtV95Olib0LD3 hC2NvloXToE0Zointt78RfJnLecmZWVXMYvoyM40MrYvoBAoBsI9WIuXDwkKJYeJxbWg taZQ== X-Gm-Message-State: AOAM532/lUOujF82X4pirLxnijx/dk0LX9DKMlS5Emc6b/dF+WBIz6gH UMd1KTZsQ1P29K3DIqdVnKY= X-Google-Smtp-Source: ABdhPJxu+n/sA9OaUT7rb/xD5BABGaVCwNCHWLBEpExROYalF9j/xouFkI6qBNBX+qZjZajJV2+ZAw== X-Received: by 2002:a17:90a:eb17:b0:1e2:f569:6b60 with SMTP id j23-20020a17090aeb1700b001e2f5696b60mr13894942pjz.48.1655100455292; Sun, 12 Jun 2022 23:07:35 -0700 (PDT) Received: from laptop.hsd1.wa.comcast.net ([2601:600:8500:5f14:d627:c51e:516e:a105]) by smtp.gmail.com with ESMTPSA id p5-20020a170903248500b0015e8d4eb1c8sm420157plw.18.2022.06.12.23.07.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 12 Jun 2022 23:07:34 -0700 (PDT) From: Andrei Vagin To: linux-kernel@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Christian Brauner Cc: Florian Weimer , linux-mm@kvack.org, Eric Biederman , Kees Cook , Andrei Vagin Subject: [PATCH 1/2] fs/exec: allow to unshare a time namespace on vfork+exec Date: Sun, 12 Jun 2022 23:07:22 -0700 Message-Id: <20220613060723.197407-1-avagin@gmail.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655100456; a=rsa-sha256; cv=none; b=JrroebVSDM1WKhrgc5veqAFsNsXhIj2Lt7QEe/AhzlCql24KxOS6QdU4+xizHXU3+fo0nG lvRKqKuwc8Gc5qD9A3D8Ce4oWbkV6olb59veaeNuh+ZWC/wqRXoBoxSIopvbXpzpLe+a8K VMNmPvBQqZx41UnHw0mKUn5ZE6ZLNRs= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=hhvQSETc; spf=pass (imf22.hostedemail.com: domain of avagin@gmail.com designates 209.85.216.42 as permitted sender) smtp.mailfrom=avagin@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1655100456; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=R2YkzI9j1jsr56lMlCtYILywTtcG8+NXvsHywe0vpm8=; b=eQfKiJHz1lVEIKOePiZKQ2btt99cfn1NPnkekZyyS5DKlud8Ijl2UUxCVFFCjwmaEPJZdY NKNL0brbil+JYppYTzXPap/dNn19GrUldJ55Ju3l6npzCM3iLfYbAuB3QLjdNaXxNn9eNE sMnKQrV4oBYUYA0TS7wBjgLVKxpnbzs= X-Rspamd-Queue-Id: 67B4FC00A5 Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=hhvQSETc; spf=pass (imf22.hostedemail.com: domain of avagin@gmail.com designates 209.85.216.42 as permitted sender) smtp.mailfrom=avagin@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-Rspam-User: X-Rspamd-Server: rspam06 X-Stat-Signature: mbd339mmp3x8sxdbd5r51u73usznmxaa X-HE-Tag: 1655100456-122208 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Right now, a new process can't be forked in another time namespace if it shares mm with its parent. It is prohibited, because each time namespace has its own vvar page that is mapped into a process address space. When a process calls exec, it gets a new mm and so it could be "legal" to switch time namespace in that case. This was not implemented and now if we want to do this, we need to add another clone flag to not break backward compatibility. We don't have any user requests to switch times on exec except the vfork+exec combination, so there is no reason to add a new clone flag. As for vfork+exec, this should be safe to allow switching timens with the current clone flag. Right now, vfork (CLONE_VFORK | CLONE_VM) fails if a child is forked into another time namespace. With this change, vfork creates a new process in parent's timens, and the following exec does the actual switch to the target time namespace. Suggested-by: Florian Weimer Signed-off-by: Andrei Vagin Acked-by: Christian Brauner (Microsoft) --- fs/exec.c | 7 +++++++ kernel/fork.c | 5 ++++- kernel/nsproxy.c | 3 ++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 0989fb8472a1..347e8f55bc2b 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -65,6 +65,7 @@ #include #include #include +#include #include #include @@ -982,10 +983,12 @@ static int exec_mmap(struct mm_struct *mm) { struct task_struct *tsk; struct mm_struct *old_mm, *active_mm; + bool vfork; int ret; /* Notify parent that we're no longer interested in the old VM */ tsk = current; + vfork = !!tsk->vfork_done; old_mm = current->mm; exec_mm_release(tsk, old_mm); if (old_mm) @@ -1030,6 +1033,10 @@ static int exec_mmap(struct mm_struct *mm) tsk->mm->vmacache_seqnum = 0; vmacache_flush(tsk); task_unlock(tsk); + + if (vfork) + timens_on_fork(tsk->nsproxy, tsk); + if (old_mm) { mmap_read_unlock(old_mm); BUG_ON(active_mm != old_mm); diff --git a/kernel/fork.c b/kernel/fork.c index 9d44f2d46c69..9174146f6812 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2033,8 +2033,11 @@ static __latent_entropy struct task_struct *copy_process( /* * If the new process will be in a different time namespace * do not allow it to share VM or a thread group with the forking task. + * + * On vfork, the child process enters the target time namespace only + * after exec. */ - if (clone_flags & (CLONE_THREAD | CLONE_VM)) { + if ((clone_flags & (CLONE_VM | CLONE_VFORK)) == CLONE_VM) { if (nsp->time_ns != nsp->time_ns_for_children) return ERR_PTR(-EINVAL); } diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index eec72ca962e2..b4cbb406bc28 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -179,7 +179,8 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) if (IS_ERR(new_ns)) return PTR_ERR(new_ns); - timens_on_fork(new_ns, tsk); + if ((flags & CLONE_VM) == 0) + timens_on_fork(new_ns, tsk); tsk->nsproxy = new_ns; return 0;