Re: [RFC PATCH v4 00/12] Second attempt at contained helper execution

From: Eric W. Biederman
Date: Thu Mar 19 2015 - 17:42:46 EST


Ian Kent <raven@xxxxxxxxxx> writes:

> Here is another update to the attempt at contained helper execution.
>
> The main change is I've tried to incorporate Oleg's suggestions
> of directly constructing the namespaces rather than using the
> open/setns approach and the addition of a namespace hash store.
>
> I'm not particularly happy with this so far as there are a bunch
> of ref counted objects and I've almost certainly got that wrong.
> But also there are object lifetime problems, some I'm aware of
> and for sure others I'm not. Also there is the integrity of the
> thread runner process. I haven't performed a double fork on thread
> execution, it might be painful to implement, so the thread runner
> might end up with the wrong namespace setup if an error occurs.
>
> Anyway, I've decided to stop spinning my wheels with this and
> post an update in the hope that others can offer suggestions to
> help and, of course, point out things I've missed.
>
> The other change has been to the nfs and KEYS patches.
> I've introduced the ability to get a token that can be used to
> save namespace information for later execution and I've attempted
> to use that for persistent namespace execution, as was discussed
> previously.
>
> I'm not at all sure I've done this in a sensible way but the
> token does need to be accessible at helper execution time which
> is why I've done it this way.
>
> I definitely need advice here too.

As far as I can tell this patchset continues to be broken for ignoring
my earlier advice.

This patchset provides an escape from cgroup, lsm, rlimit, and
seccomp policy.

This patchset does not appear particularly nice in how it uses
namespaces.

The only safe and sane way to do this is to have a kernel thread with
all of the proper attributes configured waiting around ready to start
the user mode helper.

The problem you are trying to solve is so hard that we totally failed to
solve it outside of the container case. Which is why we have kthreadd.
I will be very surprised if you can figure out how to cleanly solve the
problem the way you are attacking it.

Eric


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/