Re: [PATCH net 2/2] auth_gss: Fix deadlock that blocks rpcsec_gss_exit_net when use-gss-proxy==1
From: bfields@xxxxxxxxxxxx
Date: Tue Nov 09 2021 - 12:21:17 EST
On Thu, Sep 30, 2021 at 09:56:03AM +0800, wanghai (M) wrote:
>
> 在 2021/9/30 5:12, bfields@xxxxxxxxxxxx 写道:
> >On Tue, Sep 28, 2021 at 11:43:00AM -0400, bfields@xxxxxxxxxxxx wrote:
> >>On Tue, Sep 28, 2021 at 03:36:58PM +0000, Trond Myklebust wrote:
> >>>What is the use case here? Starting the gssd daemon or knfsd in
> >>>separate chrooted environments? We already know that they have to be
> >>>started in the same net namespace, which pretty much ensures it has to
> >>>be the same container.
> >>Somehow I forgot that knfsd startup is happening in some real process's
> >>context too (not just a kthread).
> >>
> >>OK, great, I agree, that sounds like it should work.
Ugh, took me a while to get back to this and I went down a couple dead
ends.
The result from selinux's point of view is that rpc.nfsd is doing things
it previously only expected gssproxy to do. Fixable with an update to
selinux policy. And easily fixed in the meantime by cut-and-pasting the
suggestions from the logs.
Still, the result's that mounts fail when you update the kernel, which
seems a violation of our usual rules about regressions. I'd like to do
better.
--b.