Ping Thanks Zhaolei > From: Zhao Lei [mailto:zhaolei@xxxxxxxxxxxxxx] > Sent: Friday, April 15, 2016 6:47 PM > To: linux-kernel@xxxxxxxxxxxxxxx > Cc: containers@xxxxxxxxxxxxxxxxxxxxxxxxxx; Eric W. Biederman > <ebiederm@xxxxxxxxxxxx>; Mateusz Guzik <mguzik@xxxxxxxxxx>; > Kamezawa Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx>; Zhao Lei > <zhaolei@xxxxxxxxxxxxxx> > Subject: [PATCH 0/3] [RFC] Write dump into container's filesystem for pipe_type > core_pattern > > In current system, when we set core_pattern to a pipe, both pipe program > and program's output are in host's filesystem. > But when we set core_pattern to a file, the container will write dump > into container's filesystem. > > For example, when we set following core_pattern: > # echo "|/my_dump_pipe %s %c %p %u %g %t > e" >/proc/sys/kernel/core_pattern > and trigger a segment fault in a container, my_dump_pipe is searched from > host's filesystem, and it will write coredump into host's filesystem too. > > In a privileged container, user can destroy host system by following > command: > # # In a container > # echo "|/bin/dd of=/boot/vmlinuz" >/proc/sys/kernel/core_pattern > # make_dump > > Actually, all operation in a container should not change host's > environment, the container should use core_pattern as its private setting. > In detail, in core dump action: > 1: Search pipe program in container's fs namespace. > 2: Run pipe program in container's fs namespace to write coredump to it. > > I rewrited this patch from origional: > > http://www.gossamer-threads.com/lists/linux/kernel/2395715?do=post_view_ > flat > and changed the impliment way and function detail discussed in: > > http://www.gossamer-threads.com/lists/linux/kernel/2397602?nohighlight=1# > 2397602 > > Changes against previous impliment: > 1: Avoid forking thread from the crach process. > Suggested-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > 2: To keep compatibility with current code, if user hadn't change > core_pattern in container, the dump file will still write to > the host filesystem. > Suggested-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > > Zhao Lei (3): > [RFC] Save dump_root into pid_namespace > [RFC] Make dump_pipe thread possilbe to select the rootfs > [RFC] Write dump into container's filesystem for pipe_type > core_pattern > > fs/coredump.c | 19 ++++++++++++++++++- > fs/fs_struct.c | 25 ++++++++++++++++--------- > include/linux/fs_struct.h | 3 ++- > include/linux/kmod.h | 4 +++- > include/linux/pid_namespace.h | 3 +++ > include/linux/sched.h | 5 +++-- > init/do_mounts_initrd.c | 3 ++- > init/main.c | 4 ++-- > kernel/fork.c | 34 ++++++++++++++++++++-------------- > kernel/kmod.c | 13 ++++++++----- > kernel/kthread.c | 3 ++- > kernel/pid.c | 1 + > kernel/pid_namespace.c | 6 ++++++ > kernel/sysctl.c | 30 ++++++++++++++++++++++++++---- > lib/kobject_uevent.c | 3 ++- > security/keys/request_key.c | 2 +- > 16 files changed, 115 insertions(+), 43 deletions(-) > > -- > 1.8.5.1 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
