Re: [PATCH 1/2] signals: kill(-1) should only signal processes in the same namespace
From: Oleg Nesterov
Date: Wed Jul 23 2008 - 10:30:45 EST
On 07/17, Daniel Hokka Zakrisson wrote:
>
> +int task_in_pid_ns(struct task_struct *tsk, struct pid_namespace *ns)
> +{
> + struct pid *pid = task_pid(tsk);
> +
> + if (!pid)
> + return 0;
> +
> + if (pid->level < ns->level)
> + return 0;
> +
> + if (pid->numbers[ns->level].ns != ns)
> + return 0;
> +
> + return 1;
> +}
> +
> static __init int pid_namespaces_init(void)
> {
> pid_ns_cachep = KMEM_CACHE(pid_namespace, SLAB_PANIC);
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 6c0958e..93713a5 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1145,7 +1145,8 @@ static int kill_something_info(int sig, struct
> siginfo *info, int pid)
> struct task_struct * p;
>
> for_each_process(p) {
> - if (p->pid > 1 && !same_thread_group(p, current)) {
> + if (p->pid > 1 && !same_thread_group(p, current) &&
> + task_in_pid_ns(p, current->nsproxy->pid_ns)) {
> int err = group_send_sig_info(sig, info, p);
> ++count;
> if (err != -EPERM)
Do we really need all these complications? Afaics, we can make
a simpler patch,
--- kernel/signal.c
+++ kernel/signal.c
@@ -1136,7 +1136,7 @@ static int kill_something_info(int sig,
struct task_struct * p;
for_each_process(p) {
- if (p->pid > 1 && !same_thread_group(p, current)) {
+ if (task_pid_vnr(p) > 1 && !same_thread_group(p, current)) {
int err = group_send_sig_info(sig, info, p);
++count;
if (err != -EPERM)
task_pid_vnr(p) returns 0 if "p" is not visible from the current's
namespace. "> 1" ensures we don't kill the child reaper as well.
No?
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/