From: Ian Kent
If pipefs is registered within a namespace other than the root init
namespace subsequent pipefs requests should be run within the init
namespace of registration.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond
From: Ian Kent
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc
From: Ian Kent
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off
From: Ian Kent
Add function call_usermodehelper_ns() to allow passing a namespace
token to lookup previously stored namespace information for usermode
helper execution.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc
From: Ian Kent
If nfsd is running within a container the client tracking operations
should run within the originating container also.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W
From: Ian Kent
When call_usermodehelper_keys() is called it assumes it won't be called
with the flag UMH_NO_WAIT. Currently that's always the case.
Change this to check the flag and use the correct kernel memory allocation
flag to guard against future changes.
Signed-off-by: Ian Kent
Cc
From: Ian Kent
Persistent use of namespace information is needed where contained
execution is needed in a namespace other than the current namespace.
Use a simple random token as a key to store namespace information
in a hashed list for later usermode helper execution.
Signed-off-by: Ian Kent
this in a sensible way but the
token does need to be accessible at helper execution time which
is why I've done it this way.
I definitely need advice here too.
---
Ian Kent (12):
nsproxy - make create_new_namespaces() non-static
kmod - rename call_usermodehelper() flags parameter
vfs
From: Ian Kent
The mnt_namespace definition will be needed by the usermode helper
contained execution implementation, move it to include/linux/mount.h.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
From: Ian Kent
create_new_namespaces() will be needed by usermodehelper namespace
restricted execution.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Stanislav Kinsbursky
Cc: Oleg Nesterov
Cc: Eric W. Biederman
From: Ian Kent ik...@redhat.com
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request execution within the current namespaces. This flag is tied
to the wait field of the subprocess_info structure which
From: Ian Kent ik...@redhat.com
The mnt_namespace definition will be needed by the usermode helper
contained execution implementation, move it to include/linux/mount.h.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J
From: Ian Kent ik...@redhat.com
Persistent use of namespace information is needed where contained
execution is needed in a namespace other than the current namespace.
Use a simple random token as a key to store namespace information
in a hashed list for later usermode helper execution.
Signed
this in a sensible way but the
token does need to be accessible at helper execution time which
is why I've done it this way.
I definitely need advice here too.
---
Ian Kent (12):
nsproxy - make create_new_namespaces() non-static
kmod - rename call_usermodehelper() flags parameter
vfs
From: Ian Kent ik...@redhat.com
create_new_namespaces() will be needed by usermodehelper namespace
restricted execution.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc: David
From: Ian Kent ik...@redhat.com
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve
From: Ian Kent ik...@redhat.com
Add function call_usermodehelper_ns() to allow passing a namespace
token to lookup previously stored namespace information for usermode
helper execution.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v
From: Ian Kent ik...@redhat.com
If nfsd is running within a container the client tracking operations
should run within the originating container also.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie
From: Ian Kent ik...@redhat.com
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce
From: Ian Kent ik...@redhat.com
The call_usermodehelper() function executes all binaries in the
global init root context. This doesn't allow a binary to be run
within a namespace (eg. the namespaces of a container).
The init process of the callers environment is used to setup the
namespaces
From: Ian Kent ik...@redhat.com
Make usermode helper thread runner namespace aware.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc: David Howells dhowe...@redhat.com
Cc: Trond
From: Ian Kent ik...@redhat.com
When call_usermodehelper_keys() is called it assumes it won't be called
with the flag UMH_NO_WAIT. Currently that's always the case.
Change this to check the flag and use the correct kernel memory allocation
flag to guard against future changes.
Signed-off
From: Ian Kent ik...@redhat.com
If pipefs is registered within a namespace other than the root init
namespace subsequent pipefs requests should be run within the init
namespace of registration.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v
On Mon, 2015-02-23 at 17:22 -0800, Benjamin Coddington wrote:
> On Tue, 24 Feb 2015, Ian Kent wrote:
>
> > On Mon, 2015-02-23 at 09:52 -0500, J. Bruce Fields wrote:
> > > On Sat, Feb 21, 2015 at 11:58:58AM +0800, Ian Kent wrote:
> > > > On Fri, 2015-02-20 at 1
On Mon, 2015-02-23 at 17:22 -0800, Benjamin Coddington wrote:
On Tue, 24 Feb 2015, Ian Kent wrote:
On Mon, 2015-02-23 at 09:52 -0500, J. Bruce Fields wrote:
On Sat, Feb 21, 2015 at 11:58:58AM +0800, Ian Kent wrote:
On Fri, 2015-02-20 at 14:05 -0500, J. Bruce Fields wrote:
On Fri
On Mon, 2015-02-23 at 09:52 -0500, J. Bruce Fields wrote:
> On Sat, Feb 21, 2015 at 11:58:58AM +0800, Ian Kent wrote:
> > On Fri, 2015-02-20 at 14:05 -0500, J. Bruce Fields wrote:
> > > On Fri, Feb 20, 2015 at 12:07:15PM -0600, Eric W. Biederman wrote:
> > >
On Mon, 2015-02-23 at 09:52 -0500, J. Bruce Fields wrote:
On Sat, Feb 21, 2015 at 11:58:58AM +0800, Ian Kent wrote:
On Fri, 2015-02-20 at 14:05 -0500, J. Bruce Fields wrote:
On Fri, Feb 20, 2015 at 12:07:15PM -0600, Eric W. Biederman wrote:
J. Bruce Fields bfie...@fieldses.org writes
On Fri, 2015-02-20 at 14:05 -0500, J. Bruce Fields wrote:
> On Fri, Feb 20, 2015 at 12:07:15PM -0600, Eric W. Biederman wrote:
> > "J. Bruce Fields" writes:
> >
> > > On Fri, Feb 20, 2015 at 05:33:25PM +0800, Ian Kent wrote:
> >
> > >> The cas
On Wed, 2015-02-18 at 20:31 -0500, J. Bruce Fields wrote:
> On Thu, Feb 19, 2015 at 08:39:01AM +0800, Ian Kent wrote:
> > On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
> > > On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
> > > > On W
On Wed, 2015-02-18 at 20:31 -0500, J. Bruce Fields wrote:
On Thu, Feb 19, 2015 at 08:39:01AM +0800, Ian Kent wrote:
On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:06:20PM -0500, J
On Fri, 2015-02-20 at 14:05 -0500, J. Bruce Fields wrote:
On Fri, Feb 20, 2015 at 12:07:15PM -0600, Eric W. Biederman wrote:
J. Bruce Fields bfie...@fieldses.org writes:
On Fri, Feb 20, 2015 at 05:33:25PM +0800, Ian Kent wrote:
The case of nfsd state-recovery might be similar
On Wed, 2015-02-18 at 20:31 -0500, J. Bruce Fields wrote:
> On Thu, Feb 19, 2015 at 08:39:01AM +0800, Ian Kent wrote:
> > On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
> > > On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
> > > > On W
On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
> On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
> > On Wed, Feb 18, 2015 at 12:06:20PM -0500, J. Bruce Fields wrote:
> > > On Fri, Feb 06, 2015 at 09:47:25AM +0800, Ian Kent wrote:
> > > &g
On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:06:20PM -0500, J. Bruce Fields wrote:
On Fri, Feb 06, 2015 at 09:47:25AM +0800, Ian Kent wrote:
On Thu, 2015-02-05 at 15:14 +, David
On Wed, 2015-02-18 at 20:31 -0500, J. Bruce Fields wrote:
On Thu, Feb 19, 2015 at 08:39:01AM +0800, Ian Kent wrote:
On Wed, 2015-02-18 at 15:59 -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:31:32PM -0500, J. Bruce Fields wrote:
On Wed, Feb 18, 2015 at 12:06:20PM -0500, J
On Mon, 2015-02-16 at 19:24 +0100, Oleg Nesterov wrote:
> On 02/16, Oleg Nesterov wrote:
> >
> > On 02/16, Ian Kent wrote:
> > >
> > > On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
> > > > On 02/10, Ian Kent wrote:
> > > > >
On Mon, 2015-02-16 at 18:13 +0100, Oleg Nesterov wrote:
> On 02/16, Ian Kent wrote:
> >
> > On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
> > > On 02/10, Ian Kent wrote:
> > > >
> > > > On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrot
On Mon, 2015-02-16 at 19:24 +0100, Oleg Nesterov wrote:
On 02/16, Oleg Nesterov wrote:
On 02/16, Ian Kent wrote:
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
On 02/10, Ian Kent wrote:
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
I
On Mon, 2015-02-16 at 18:13 +0100, Oleg Nesterov wrote:
On 02/16, Ian Kent wrote:
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
On 02/10, Ian Kent wrote:
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
I understand. but I still can't understand why we
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
> On 02/10, Ian Kent wrote:
> >
> > On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
> > >
> > > I understand. but I still can't understand why we can't implement
> > > something
>
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
On 02/10, Ian Kent wrote:
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
I understand. but I still can't understand why we can't implement
something
like
enter_ns(struct nsproxy *p
On Wed, 2015-02-11 at 21:41 +0100, Rasmus Villemoes wrote:
> Ping...
The patch looks fine to me.
I'll check there are no other instances of this and send it to Al.
>
> On Fri, Feb 06 2015, Rasmus Villemoes wrote:
>
> > %pD for struct file*, %pd for struct dentry*.
> >
> > Fixes: a455589f181e
On Wed, 2015-02-11 at 21:41 +0100, Rasmus Villemoes wrote:
Ping...
The patch looks fine to me.
I'll check there are no other instances of this and send it to Al.
On Fri, Feb 06 2015, Rasmus Villemoes li...@rasmusvillemoes.dk wrote:
%pD for struct file*, %pd for struct dentry*.
Fixes:
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
> On 02/10, Ian Kent wrote:
> >
> > On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
> > >
> > > I understand. but I still can't understand why we can't implement
> > > something
>
On Tue, 2015-02-10 at 17:55 +0100, Oleg Nesterov wrote:
On 02/10, Ian Kent wrote:
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
I understand. but I still can't understand why we can't implement
something
like
enter_ns(struct nsproxy *p
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
> On 02/09, Ian Kent wrote:
> >
> > On Sun, 2015-02-08 at 20:00 +0100, Oleg Nesterov wrote:
> > > > +
> > > > + this = file_open_root(mnt->mnt_root, mnt, path,
> > > >
On Mon, 2015-02-09 at 17:03 +0100, Oleg Nesterov wrote:
On 02/09, Ian Kent wrote:
On Sun, 2015-02-08 at 20:00 +0100, Oleg Nesterov wrote:
+
+ this = file_open_root(mnt-mnt_root, mnt, path,
O_RDONLY);
+ if (unlikely(IS_ERR
On Sun, 2015-02-08 at 20:00 +0100, Oleg Nesterov wrote:
> On 02/05, Ian Kent wrote:
> >
> > +int umh_enter_ns(struct task_struct *tsk, struct cred *new)
> > +{
> > + char path[NS_PATH_MAX];
> > + struct vfsmount *mnt;
> > + const char *name;
On Sun, 2015-02-08 at 20:00 +0100, Oleg Nesterov wrote:
On 02/05, Ian Kent wrote:
+int umh_enter_ns(struct task_struct *tsk, struct cred *new)
+{
+ char path[NS_PATH_MAX];
+ struct vfsmount *mnt;
+ const char *name;
+ pid_t pid;
+ int err = 0;
+
+ pid = task_pid_nr
On Fri, 2015-02-06 at 07:08 -0500, Jeff Layton wrote:
> On Thu, 05 Feb 2015 10:34:11 +0800
> Ian Kent wrote:
>
> > The call_usermodehelper() function executes all binaries in the
> > global "init" root context. This doesn't allow a binary to be run
> >
On Fri, 2015-02-06 at 07:08 -0500, Jeff Layton wrote:
On Thu, 05 Feb 2015 10:34:11 +0800
Ian Kent ik...@redhat.com wrote:
The call_usermodehelper() function executes all binaries in the
global init root context. This doesn't allow a binary to be run
within a namespace (eg. the namespace
On Thu, 2015-02-05 at 15:14 +, David Howells wrote:
>
> > + /* If running within a container use the container namespace */
> > + if (current->nsproxy->net_ns != _net)
>
> Is that a viable check? Is it possible to have a container that shares
> networking details?
That's up for
On Thu, 2015-02-05 at 15:01 +, David Howells wrote:
> Ian Kent wrote:
>
> > -call_usermodehelper(char *path, char **argv, char **envp, int wait);
> > +call_usermodehelper(char *path, char **argv, char **envp, int flags);
>
> Can we make flags unsigned whilst
On Thu, 2015-02-05 at 15:01 +, David Howells wrote:
Ian Kent ik...@redhat.com wrote:
-call_usermodehelper(char *path, char **argv, char **envp, int wait);
+call_usermodehelper(char *path, char **argv, char **envp, int flags);
Can we make flags unsigned whilst we're at it? Other than
On Thu, 2015-02-05 at 15:14 +, David Howells wrote:
+ /* If running within a container use the container namespace */
+ if (current-nsproxy-net_ns != init_net)
Is that a viable check? Is it possible to have a container that shares
networking details?
That's up for discussion.
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
infrastructure will continue
to use a usermode callback so we'll need to wait on that.
---
Ian Kent (8):
nsproxy - refactor setns()
kmod - rename call_usermodehelper() flags parameter
kmod - teach call_usermodehelper() to use a namespace
KEYS - rename call_usermodehelper_keys
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off-by: Ian Kent
Cc
's context. To do this use the init
process of the callers environment is used to setup the namespaces
in the same way the root init process is used otherwise.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
The wait parameter of call_usermodehelper_keys() will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W
If nfsd is running within a container the client tracking operations
should run within the container also.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
Cc: Jeff Layton
---
fs
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off-by: Ian Kent ik
this use the init
process of the callers environment is used to setup the namespaces
in the same way the root init process is used otherwise.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie
If the caller is running within a container then execute the usermode
helper callback within the init namespace of the container.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc
The wait parameter of call_usermodehelper_keys() will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
If nfsd is running within a container the client tracking operations
should run within the container also.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc: David Howells dhowe
infrastructure will continue
to use a usermode callback so we'll need to wait on that.
---
Ian Kent (8):
nsproxy - refactor setns()
kmod - rename call_usermodehelper() flags parameter
kmod - teach call_usermodehelper() to use a namespace
KEYS - rename call_usermodehelper_keys
Oops!
Please ignore these, mistakenly sent.
On Tue, 2015-02-03 at 15:16 +0800, Ian Kent wrote:
> For usermode helpers to execute within a namspace a slightly different
> entry point to setns() that takes a namspace inode is needed.
>
> Signed-off-by: Ian Kent
> Cc: Benjamin Coddi
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David
Oops!
Please ignore these, mistakenly sent.
On Tue, 2015-02-03 at 15:16 +0800, Ian Kent wrote:
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc
On Wed, 2015-01-21 at 09:38 -0500, J. Bruce Fields wrote:
> On Wed, Jan 21, 2015 at 03:05:25PM +0800, Ian Kent wrote:
> > On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote:
> > > On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
> > > > On Thu, 2015-
On Wed, 2015-01-21 at 09:38 -0500, J. Bruce Fields wrote:
On Wed, Jan 21, 2015 at 03:05:25PM +0800, Ian Kent wrote:
On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote:
On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote
On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote:
> On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
> > On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
> > > On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
> > > > On Wed, 2015-
On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote:
On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote
On Thu, 2015-01-15 at 11:45 -0500, Jeff Layton wrote:
> On Wed, 14 Jan 2015 17:32:43 +0800
> Ian Kent wrote:
>
> > The call_usermodehelper() function executes all binaries in the
> > global "init" root context. This doesn't allow a binary to be run
> >
On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
> On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
> > On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
> > > > On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
> > > > > Th
On Thu, 2015-01-15 at 11:45 -0500, Jeff Layton wrote:
On Wed, 14 Jan 2015 17:32:43 +0800
Ian Kent ik...@redhat.com wrote:
The call_usermodehelper() function executes all binaries in the
global init root context. This doesn't allow a binary to be run
within a namespace (eg. the namespace
On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
There are other difficulties to tackle as well
On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
> > On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
> > > There are other difficulties to tackle as well, such as how to decide
> > > if contained helper execution is needed. For example, if a mount h
's context. To do this use the init
process of the callers environment is used to setup the namespaces
in the same way the root init process is used otherwise.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
The wait parameter of call_usermodehelper() is not quite a parameter
that describes the wait behaviour alone and will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W. Biederman
The wait parameter of call_usermodehelper_keys() will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent
Cc: Benjamin Coddington
Cc: Al Viro
Cc: J. Bruce Fields
Cc: David Howells
Cc: Trond Myklebust
Cc: Oleg Nesterov
Cc: Eric W
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off-by: Ian Kent
Cc
here to
enter the target namespace which probably needs work but is out of
scope for this series if in fact this approach is even acceptable.
Comments please?
---
Ian Kent (5):
nsproxy - refactor setns()
kmod - rename call_usermodehelper() flags parameter
kmod - teach call_usermodehe
On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
There are other difficulties to tackle as well, such as how to decide
if contained helper execution is needed. For example, if a mount has
been propagated to a container
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off-by: Ian Kent ik
namespace which probably needs work but is out of
scope for this series if in fact this approach is even acceptable.
Comments please?
---
Ian Kent (5):
nsproxy - refactor setns()
kmod - rename call_usermodehelper() flags parameter
kmod - teach call_usermodehelper() to use
For usermode helpers to execute within a namspace a slightly different
entry point to setns() that takes a namspace inode is needed.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
Cc
this use the init
process of the callers environment is used to setup the namespaces
in the same way the root init process is used otherwise.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie
The wait parameter of call_usermodehelper_keys() will later be used to
request exec within a namespace.
So change its name to flags.
Signed-off-by: Ian Kent ik...@redhat.com
Cc: Benjamin Coddington bcodd...@redhat.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: J. Bruce Fields bfie...@fieldses.org
701 - 800 of 1322 matches
Mail list logo