Re: [PATCH 03/34] teach move_mount(2) to work with OPEN_TREE_CLONE [ver #12]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/10/2018 10:17, David Howells wrote:
Alan Jenkins <alan.christopher.jenkins@xxxxxxxxx> wrote:

# unshare --mount=private_mnt/child_ns --propagation=shared ls -l /proc/self/ns/mnt
I think the problem is that the mount of the nsfs object done by unshare here
pins the new mount namespace - but doesn't add the namespace's contents into
the mount tree, so the mount struct cycle-detection code is bypassed.

I think it's fine for all other namespaces, just not the mount namespace.

It looks like this bug might theoretically exist upstream also, though I don't
think there's any way to actually effect it given that mount() doesn't take a
dirfd argument.

The reason that you can do this with open_tree()/move_mount() is that it
allows you to create a mount tree (OPEN_TREE_CLONE) that has no namespace
assignment, pass it through the namespace switch and then attach it inside the
child namespace.  The cross-namespace checks in do_move_mount() are bypassed
because the root of the newly-cloned mount tree doesn't have one.

Unfortunately, just searching the newly-cloned mount tree for a conflicting
nsfs mount doesn't help because the potential loop could be hidden several
levels deep.

I think the simplest solution is to either reject a request for
open_tree(OPEN_TREE_CLONE) if there are any nsfs objects in the source tree,
or to just not copy said objects.

David

Very clearly written, thank you.  Hum, your solution would mean open_tree(OPEN_TREE_CLONE) + move_mount() is not equivalent to the current `mount --rbind` :-(.  That does not fit the current patch description.

It sounds like you're under-estimating how we can use mnt_ns->seq (as is currently used in mnt_ns_loop()).  Or maybe I am over-estimating it :).

In principle, it should suffice for attach_recursive_mount() to check the NS sequence numbers of the NS files which are mounted. You can't hide the loop at a deeper level inside the NS, because of the existing mnt_ns_loop() check.

I think mnt_ns_loop() works 100% correctly upstream, and there is no memory leak bug there.  You can pass a mount NS fd between processes in arbitrary namespaces, and you can mount it with "mount --no-canonicalize --bind /proc/self/fd/3 /other_ns".  But mnt_ns_loop() will only allow the mount when the other NS is newer than your own mount namespace.

Upstream also covers mount propagation (and CLONE_NEWNS), by simply not propagating mounts of mount NS files.  ( See commit 4ce5d2b1a8fd "vfs: Don't copy mount bind mounts of /proc/<pid>/ns/mnt between namespaces" / https://unix.stackexchange.com/questions/473717/what-code-prevents-mount-namespace-loops-in-a-more-complex-case-involving-mount-propagation )

I think it is more a question of taste :-).  Would it be acceptable to prune the tree (or fail?) in move_mount() (and also `mount --move`, if you [ab]use it like I did) ?

I suspect we should prefer your solution.  It is clearly simpler, and I don't know that anyone really uses `mount --rbind` to clone trees of mount NS files.

Either way, I suggest we take care to say whether `mount --rbind` and `mount --bind` can be implemented using open_tree() + move_mount(), or whether we think it might be undesirable.  (E.g. because someone might read the current commit message, and desire to implement `mount --bind,ro` atomically, if/when we also have mount_setattr() ).

Regards

Alan


---

Test script:

	mount -t tmpfs none /a
	mount --make-shared /a
	cd /a
	mkdir private_mnt
	mount -t tmpfs xxx private_mnt
	mount --make-private private_mnt
	touch private_mnt/child_ns
	unshare --mount=private_mnt/child_ns --propagation=shared \
	    ls -l /proc/self/ns/mnt
	findmnt

	~/open_tree 3</a/private_mnt 3 \
	    nsenter --mount=/a/private_mnt/child_ns \
	    sh -c '~/move_mount 4</mnt'

	grep Shmem: /proc/meminfo
	dd if=/dev/zero of=/a/private_mnt/bigfile bs=1M count=10

	umount -l /a/private_mnt/
	grep Shmem: /proc/meminfo



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux