This check if for prohibiting access to /proc/[pid]/ns/pid_for_children
before first task of the pid namespace is created.
/proc/namespaces/ code will use this check too, so we move it into
a separate function.
Signed-off-by: Kirill Tkhai <ktkhai@xxxxxxxxxxxxx>
---
kernel/pid_namespace.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index d02dc1696edf..4a01328e8763 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -343,6 +343,21 @@ static struct ns_common *pidns_get(struct task_struct *task)
return ns ? &ns->ns : NULL;
}
+static bool pidns_can_get(struct ns_common *ns)
+{
+ struct pid_namespace *pid_ns;
+ bool ret = true;
+
+ pid_ns = container_of(ns, struct pid_namespace, ns);
+
+ read_lock(&tasklist_lock);
+ if (!pid_ns->child_reaper)
+ ret = false;
+ read_unlock(&tasklist_lock);
+
+ return ret;
+}
+
static struct ns_common *pidns_for_children_get(struct task_struct *task)
{
struct pid_namespace *ns = NULL;
@@ -354,13 +369,9 @@ static struct ns_common *pidns_for_children_get(struct task_struct *task)
}
task_unlock(task);
- if (ns) {
- read_lock(&tasklist_lock);
- if (!ns->child_reaper) {
- put_pid_ns(ns);
- ns = NULL;
- }
- read_unlock(&tasklist_lock);
+ if (ns && !pidns_can_get(&ns->ns)) {
+ put_pid_ns(ns);
+ ns = NULL;
}
return ns ? &ns->ns : NULL;
