On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczyn...@huawei.com
wrote:
> From: Krzysztof Struczynski
>
> IMA has not been designed to work with containers. It handles every
> process in the same way, and it cannot distinguish if a process belongs to
> a container or not.
>
>
.c, so this commit
> marks it static.
>
> Fixes: 095cf502b31e ("binderfs: port to new mount api")
> Reported-by: Hulk Robot
> Signed-off-by: Wei Yongjun
> ---
Thanks!
Acked-by: Christian Brauner
On Mon, Aug 17, 2020 at 06:17:35PM -0700, Linus Torvalds wrote:
> On Mon, Aug 17, 2020 at 6:06 PM Eric W. Biederman
> wrote:
> >
> > I struggle with the fcheck name as I have not seen or at least not
> > registed on the the user that just checks to see if the result is NULL.
> > So the name
gt; count.
>
> [1] https://lkml.kernel.org/r/20180915160423.ga31...@redhat.com
> Suggested-by: Oleg Nesterov
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
d-by: Oleg Nesterov
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
On Mon, Aug 17, 2020 at 05:04:14PM -0500, Eric W. Biederman wrote:
> As a companion to fget_task implement fcheck_task for use for querying
> a process about a specific file.
>
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
performance.
>
> Using fcheck_task instead of get_files_struct clarifies tid_fd_mode by
> removing a step.
>
> [1] https://lkml.kernel.org/r/20180915160423.ga31...@redhat.com
> Suggested-by: Oleg Nesterov
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
performance.
>
> Using fcheck_task instead of get_files_struct simplifies proc_fd_link by
> removing unnecessary locking, and reference counting.
>
> [1] https://lkml.kernel.org/r/20180915160423.ga31...@redhat.com
> Suggested-by: Oleg Nesterov
> Signed-off-by: "Eric W. Bied
ated part of close() to file.c")
> [2] 44d8047f1d87 ("binder: use standard functions to allocate fds")
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
44d8047f1d87 ("binder: use standard functions to allocate fds")
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
fd_install() for binder")
> [2] 44d8047f1d87 ("binder: use standard functions to allocate fds")
> Signed-off-by: "Eric W. Biederman"
> ---
+1 on __fd_install() going away.
Acked-by: Christian Brauner
fd. As f_dupfd is the only
> caller of alloc_fd this changing alloc_fd is trivially safe.
>
> Further this causes alloc_fd to take all of the same arguments as
> __alloc_fd except for the files_struct argument.
>
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
On Mon, Aug 17, 2020 at 05:04:11PM -0500, Eric W. Biederman wrote:
> Now that exec no longer needs to restore the previous value of current->files
> on error there are no more callers of reset_files_struct so remove it.
>
> Signed-off-by: "Eric W. Biederman"
> ---
Acked-by: Christian Brauner
efore returning from unshare_files.
>
> Signed-off-by: "Eric W. Biederman"
> ---
Looks good.
Acked-by: Christian Brauner
; [14] https://lkml.kernel.org/r/20180827174722.3723-1-jlay...@kernel.org
> [15] https://lkml.kernel.org/r/20180830172423.21964-1-jlay...@kernel.org
> [16] https://lkml.kernel.org/r/20180914105310.6454-1-jlay...@kernel.org
> [17] https://lkml.kernel.org/r/87a7ohs5ow@xmission.com
> [18] https://lkml.kernel.org/r/87pn8c1uj6.fsf...@x220.int.ebiederm.org
> Signed-off-by: "Eric W. Biederman"
> ---
Slightly scary change but it solves a problem.
Acked-by: Christian Brauner
On Mon, Aug 17, 2020 at 10:48:01AM -0500, Eric W. Biederman wrote:
>
> Creating names in the kernel for namespaces is very difficult and
> problematic. I have not seen anything that looks like all of the
> problems have been solved with restoring these new names.
>
> When your filter for your
t
I'm going to reference that info in the commit message.
Applied, queueing for post rc1.
Acked-by: Christian Brauner
> kernel/sys.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index ca11af9d815d..ab6c409b1159 100644
> ---
t
I'm going to reference that info in the commit message.
Applied, queueing for post rc1.
Acked-by: Christian Brauner
> kernel/signal.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 6f16f7c5d375..27505ca5be2d 100
On Thu, Aug 13, 2020 at 10:53:31AM +0800, hui yang wrote:
> From: YangHui
>
> Also it rely on inheritance,But there are some things you need't inheriting
> if all children oom_score_adj is -1000,the oom is meaningless
I can just reapeat what I said before: we will not be changing
inheritance
On Tue, Aug 11, 2020 at 11:12:36AM -0700, Josh Triplett wrote:
> As far as I can tell, O_NONBLOCK has no effect on a pidfd. When calling
> waitid on a pidfd for a running process, it always blocks unless you
> provide WNOHANG.
>
> I don't think anything depends on that behavior. Would it be
On Tue, Aug 11, 2020 at 09:31:05PM +0200, Lennart Poettering wrote:
> On Di, 11.08.20 20:49, Miklos Szeredi (mik...@szeredi.hu) wrote:
>
> > On Tue, Aug 11, 2020 at 6:05 PM Linus Torvalds
> > wrote:
> >
> > > and then people do "$(srctree)/". If you haven't seen that kind of
> > > pattern where
On Tue, Aug 11, 2020 at 09:05:22AM -0700, Linus Torvalds wrote:
> On Tue, Aug 11, 2020 at 8:30 AM Miklos Szeredi wrote:
> >
> > What's the disadvantage of doing it with a single lookup WITH an enabling
> > flag?
> >
> > It's definitely not going to break anything, so no backward
> >
gularize compat handling of
> scm_detach_fds()")
> Signed-off-by: Kees Cook
> ---
Oh fun,
Acked-by: Christian Brauner
Thanks for fixing this quickly, Kees! I already built stuff on top of
the notifier fd injection work we did this cycle so it's great that we
don't have to revert this!
just remove it.
>
> Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds")
> Reported-by: syzbot+e113a0b970b7b3f39...@syzkaller.appspotmail.com
> Signed-off-by: Jann Horn
> ---
Acked-by: Christian Brauner
Thanks!
Christian
On Wed, Aug 05, 2020 at 09:31:28AM +0100, Christoph Hellwig wrote:
> On Tue, Aug 04, 2020 at 01:28:01PM +0200, Christian Brauner wrote:
> > High-level this does two main things:
> > 1. Remove the double export of both do_fork() and _do_fork() where do_fork()
> >used t
On Wed, Aug 05, 2020 at 05:17:08PM +0200, Christian Brauner wrote:
> On Wed, Aug 05, 2020 at 09:31:28AM +0100, Christoph Hellwig wrote:
> > On Tue, Aug 04, 2020 at 01:28:01PM +0200, Christian Brauner wrote:
> > > High-level this does two main things:
> > > 1. Remov
On Tue, Aug 04, 2020 at 02:56:04PM -0700, Linus Torvalds wrote:
> On Tue, Aug 4, 2020 at 4:28 AM Christian Brauner
> wrote:
> >
> > This is a series announced some time back (cf. [2]) when we reworked a
> > chunk of
> > the process creation paths in the kernel and s
On Tue, Aug 04, 2020 at 08:21:51AM -0500, Eric W. Biederman wrote:
> Christian Brauner writes:
>
> > On Tue, Aug 04, 2020 at 07:11:59AM -0500, Eric W. Biederman wrote:
> >> Christian Brauner writes:
> >>
> >> > On Mon, Aug 03, 2020 at 01:16:10P
On Tue, Aug 04, 2020 at 07:11:59AM -0500, Eric W. Biederman wrote:
> Christian Brauner writes:
>
> > On Mon, Aug 03, 2020 at 01:16:10PM +0300, Kirill Tkhai wrote:
> >> Every namespace type has its own counter. Some of them are
> >> of refcou
cp_metrics.c |2 +-
> 25 files changed, 51 insertions(+), 72 deletions(-)
>
> --
> Signed-off-by: Kirill Tkhai
> Acked-by: Christian Brauner
>
Christian
close-range-v5.9
----
Christian Brauner (5):
open: add close_range()
arch: wire-up close_range()
tests: add close_range() tests
close_range: add CLOSE_RANGE_UNSHARE
Hi Linus,
/* Summary */
This pull request contains the changes to enable unprivileged
checkpoint/restore of processes. Given that this work has been going on for
quite some time the first sentence in this summary is hopefully more exciting
than the actual final code changes required.
Unprivileged
2020-07-04 23:41:37
+0200)
Please consider pulling these changes from the signed fork-v5.9 tag.
Thanks!
Christian
fork-v5.9
--------
Christian Brauner (17):
fork: fold leg
0-07-08 11:14:22 +0200)
Please consider pulling these changes from the signed threads-v5.9 tag.
Thanks!
Christian
threads-v5.9
----
Christian Brauner (4):
ti
Hey Linus,
/* Summary */
This contains a simple spelling fix for dequeue_synchronous_signal().
/* Testing */
All patches have seen exposure in linux-next and are based on v5.8-rc7.
/* Conflicts */
At the time of creating this pr no merge conflicts were reported.
The following changes since
gt; $ _
> >
> > include/uapi/linux/ptrace.h | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
> > index a71b6e3b03eb..83ee45fa634b 100644
> > --- a/include/uapi/linux/ptrace.
On Thu, Jul 30, 2020 at 05:07:05PM +0300, Kirill Tkhai wrote:
> On 30.07.2020 16:35, Christian Brauner wrote:
> > On Thu, Jul 30, 2020 at 02:59:25PM +0300, Kirill Tkhai wrote:
> >> Currently, every type of namespaces has its own counter,
> >> which is stored in ns-s
On Thu, Jul 30, 2020 at 04:34:50PM +0100, Matthew Wilcox wrote:
> On Thu, Jul 30, 2020 at 05:27:05PM +0200, Christian Brauner wrote:
> > On Thu, Jul 30, 2020 at 04:22:50PM +0100, Matthew Wilcox wrote:
> > > On Mon, Jul 27, 2020 at 10:11:22AM -0700, Anthony Yznaga wrote:
> >
On Thu, Jul 30, 2020 at 04:22:50PM +0100, Matthew Wilcox wrote:
> On Mon, Jul 27, 2020 at 10:11:22AM -0700, Anthony Yznaga wrote:
> > This patchset adds support for preserving an anonymous memory range across
> > exec(3) using a new madvise MADV_DOEXEC argument. The primary benefit for
> >
On Thu, Jul 30, 2020 at 03:00:03PM +0300, Kirill Tkhai wrote:
> Convert time namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Looks good!
Acked-by: Christian Brauner
> include/linux/time_namespace.h |9 -
> kernel/time/namespa
On Thu, Jul 30, 2020 at 02:59:57PM +0300, Kirill Tkhai wrote:
> Convert cgroup namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Looks good!
Acked-by: Christian Brauner
> include/linux/cgroup.h|5 ++---
> kernel/cgroup/cgroup.c|2 +
On Thu, Jul 30, 2020 at 02:59:52PM +0300, Kirill Tkhai wrote:
> Convert mount namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Looks good!
Acked-by: Christian Brauner
> fs/mount.h |3 +--
> fs/namespace.c |4 ++--
> 2 files change
On Thu, Jul 30, 2020 at 02:59:47PM +0300, Kirill Tkhai wrote:
> Convert user namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Looks good!
Acked-by: Christian Brauner
> include/linux/user_namespace.h |5 ++---
> kernel/user.c |
On Thu, Jul 30, 2020 at 09:34:01AM -0500, Eric W. Biederman wrote:
> Kirill Tkhai writes:
>
> > Currently, there is no a way to list or iterate all or subset of namespaces
> > in the system. Some namespaces are exposed in /proc/[pid]/ns/ directories,
> > but some also may be as open files, which
On Thu, Jul 30, 2020 at 05:34:28PM +0300, Kirill Tkhai wrote:
> On 30.07.2020 17:30, Christian Brauner wrote:
> > On Thu, Jul 30, 2020 at 02:59:25PM +0300, Kirill Tkhai wrote:
> >> Currently, every type of namespaces has its own counter,
> >> which is stored in ns-s
On Thu, Jul 30, 2020 at 02:59:41PM +0300, Kirill Tkhai wrote:
> Convert pid namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Looks good!
Acked-by: Christian Brauner
> include/linux/pid_namespace.h |4 +---
> kernel/pid.c |
On Thu, Jul 30, 2020 at 02:59:36PM +0300, Kirill Tkhai wrote:
> Convert uts namespace to use generic counter.
>
> Signed-off-by: Kirill Tkhai
> ---
Acked-by: Christian Brauner
> include/linux/ipc_namespace.h |3 +--
> ipc/msgutil.c |2 +-
have this addition be in a separate
patch but probably not and even if there'd be no need to resend.
Though I wonder, isn't this missing an include for refcount_t or is
there some header-magic we're doing during pre-processing?
Acked-by: Christian Brauner
Thanks!
Christian
> };
>
>
places where kref is used
to refcount_t and remove the kref api.)
Looks good!
Acked-by: Christian Brauner
> include/linux/utsname.h |9 -
> init/version.c |2 +-
> kernel/utsname.c|7 ++-
> 3 files changed, 7 insertions(+), 11 deletions(-)
&
[Cc: linux-api]
On Thu, Jul 30, 2020 at 03:08:53PM +0200, Christian Brauner wrote:
> On Thu, Jul 30, 2020 at 02:59:20PM +0300, Kirill Tkhai wrote:
> > Currently, there is no a way to list or iterate all or subset of namespaces
> > in the system. Some namespaces are exposed in
On Thu, Jul 30, 2020 at 02:59:25PM +0300, Kirill Tkhai wrote:
> Currently, every type of namespaces has its own counter,
> which is stored in ns-specific part. Say, @net has
> struct net::count, @pid has struct pid_namespace::kref, etc.
>
> This patchset introduces unified counter for all types
>
On Thu, Jul 30, 2020 at 03:00:19PM +0300, Kirill Tkhai wrote:
> This is a new directory to show all namespaces, which can be
> accessed from this /proc tasks credentials.
>
> Every /proc is related to a pid_namespace, and the pid_namespace
> is related to a user_namespace. The items, we show in
On Thu, Jul 30, 2020 at 02:59:20PM +0300, Kirill Tkhai wrote:
> Currently, there is no a way to list or iterate all or subset of namespaces
> in the system. Some namespaces are exposed in /proc/[pid]/ns/ directories,
> but some also may be as open files, which are not attached to a process.
> When
On Mon, Jul 27, 2020 at 04:50:13PM +0200, Christoph Hellwig wrote:
> Strange. Can you add this additional debugging patch:
Sorry Christoph,
didn't mean to leave you waiting. I got pulled into other stuff.
Christian
>
> diff --git a/fs/read_write.c b/fs/read_write.c
> index
On Mon, Jul 27, 2020 at 02:00:17PM -0400, Steven Sistare wrote:
> On 7/27/2020 1:07 PM, ebied...@xmission.com wrote:
> > Anthony Yznaga writes:
> >
> >> This patchset adds support for preserving an anonymous memory range across
> >> exec(3) using a new madvise MADV_DOEXEC argument. The primary
On Mon, Jul 27, 2020 at 04:13:38PM +0200, Christian Brauner wrote:
> On Mon, Jul 27, 2020 at 03:28:55PM +0200, Christoph Hellwig wrote:
> > On Mon, Jul 27, 2020 at 12:46:36PM +0200, Christian Brauner wrote:
> > > Hey Christoph,
> > >
> > > Seems that commit
&
On Mon, Jul 27, 2020 at 03:28:55PM +0200, Christoph Hellwig wrote:
> On Mon, Jul 27, 2020 at 12:46:36PM +0200, Christian Brauner wrote:
> > Hey Christoph,
> >
> > Seems that commit
> > 6955a76fbcd5 ("bpfilter: switch to kernel_write")
> > causes bpfil
On Mon, Jul 27, 2020 at 05:18:23PM +0545, Yadav Lamichhane wrote:
> fix a brace around if-else statement and for loop.
>
> Signed-off-by: Yadav Lamichhane
> ---
> kernel/user_namespace.c | 9 +++--
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/user_namespace.c
Hey Christoph,
Seems that commit
6955a76fbcd5 ("bpfilter: switch to kernel_write")
causes bpfilter to spew these useless messages in dmesg?
[ 26.356824] Started bpfilter
[ 26.357059] bpfilter: write fail -22
[ 26.396244] Started bpfilter
[ 26.396325] bpfilter: Loaded bpfilter_umh pid 637
On Fri, Jul 24, 2020 at 11:05:31AM +0200, Pavel Machek wrote:
> Fix typo in comment.
>
> Signed-off-by: Pavel Machek (CIP)
Applied to:
https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=fixes
Thanks!
Acked-by: Christian Brauner
>
> diff --git a/kernel/si
On Sun, Jul 26, 2020 at 12:49:59PM +0800, Xin Xiong wrote:
> When clone_flags & CLONE_PIDFD is true,the function creates a new file
> object called pidfile,and invokes get_pid(),which increases the refcnt
> of pid for pidfile to hold.
>
> The reference counting issues take place in the error
On Fri, Jul 24, 2020 at 12:06:53PM -0700, Kees Cook wrote:
> I think this looks good now.
>
> Andrew, since you're already carrying my exec clean-ups (repeated here
> in patch 1-3), can you pick the rest of this series too?
Al,
Not sure if you have already re-surfaced from your
On Thu, Jul 23, 2020 at 10:41:40AM -0700, Andrei Vagin wrote:
> On Wed, Jul 22, 2020 at 07:15:06PM +0100, Catalin Marinas wrote:
> > On Mon, Jul 13, 2020 at 06:57:43PM -0700, Andrei Vagin wrote:
> > > On Sat, Jul 04, 2020 at 11:40:55PM -0700, Andrei Vagin wrote:
> > > > On Wed, Jun 24, 2020 at
owing the 'prev->on_rq = 0' store to become visible.
>
> Fixes: dbfb089d360b ("sched: Fix loadavg accounting race")
> Reported-by: Jiri Slaby
> Signed-off-by: Peter Zijlstra (Intel)
> Tested-by: Paul Gortmaker
> ---
Thank you. I applied this on top of v5.8-rc
On Mon, Jul 20, 2020 at 02:46:37PM +0200, Adrian Reber wrote:
> On Mon, Jul 20, 2020 at 01:54:52PM +0200, Christian Brauner wrote:
> > On Sun, Jul 19, 2020 at 08:17:30PM +0200, Christian Brauner wrote:
> > > On Sun, Jul 19, 2020 at 12:04:10PM +0200, Adrian Reber wrote:
I think this logic was correct even if it doesn't look nice. But
> > > > "doesn't
> > > > look nice" is true for the whole ptrace code ;)
> > >
> > > *groan*... another bit of obscure magic :-(
> > >
> > > let me go t
On Sun, Jul 19, 2020 at 08:17:30PM +0200, Christian Brauner wrote:
> On Sun, Jul 19, 2020 at 12:04:10PM +0200, Adrian Reber wrote:
> > This is v6 of the 'Introduce CAP_CHECKPOINT_RESTORE' patchset. The
> > changes to v5 are:
> >
> > * split patch dealing with /pro
On Sun, Jul 19, 2020 at 12:04:10PM +0200, Adrian Reber wrote:
> This is v6 of the 'Introduce CAP_CHECKPOINT_RESTORE' patchset. The
> changes to v5 are:
>
> * split patch dealing with /proc/self/exe into two patches:
>* first patch to enable changing it with CAP_CHECKPOINT_RESTORE
> and
On Sun, Jul 19, 2020 at 06:10:54PM +0100, Al Viro wrote:
> On Tue, Jul 14, 2020 at 06:14:11PM +0200, Christian Brauner wrote:
>
> > mount_setattr() can be expected to grow over time and is designed with
> > extensibility in mind. It follows the extensible syscall patter
On Sat, Jul 18, 2020 at 05:27:38PM -0700, Randy Dunlap wrote:
> Drop the repeated word "the" in a comment.
>
> Signed-off-by: Randy Dunlap
> Cc: Greg Kroah-Hartman
> Cc: Arve Hjønnevåg
> Cc: Todd Kjos
> Cc: Martijn Coenen
> Cc: Joel Fernandes
> Cc: Chri
On Fri, Jul 17, 2020 at 10:24:16PM -0500, Serge Hallyn wrote:
> On Wed, Jul 15, 2020 at 04:49:48PM +0200, Adrian Reber wrote:
> > This is v5 of the 'Introduce CAP_CHECKPOINT_RESTORE' patchset. The
> > changes to v4 are:
> >
> > * split into more patches to have the introduction of
> >
On Sat, Jul 18, 2020 at 07:14:07PM +0200, Oleg Nesterov wrote:
> On 07/18, Jiri Slaby wrote:
> >
> > On 17. 07. 20, 14:40, Oleg Nesterov wrote:
> > >
> > > please see the updated patch below, lets check ptrace_unfreeze() too.
> >
> > Sure, dmesg attached.
>
> Thanks a lot!
>
> But I am totally
On Fri, Jul 17, 2020 at 01:04:38PM +0200, Jiri Slaby wrote:
> On 17. 07. 20, 12:45, Jiri Slaby wrote:
> > Hi,
> >
> > the strace testsuite triggers this on 5.8-rc4 and -rc5 both on x86_64
> > and i586:
>
> make check needs -jsomething, running is sequentially (-j1) doesn't
> trigger it. After
On Thu, Jul 16, 2020 at 01:25:43PM -0700, Kees Cook wrote:
> On Thu, Jul 16, 2020 at 10:22:34PM +0200, Christian Brauner wrote:
> > On Thu, Jul 16, 2020 at 01:04:38PM -0700, Kees Cook wrote:
> > > On Thu, Jul 16, 2020 at 03:31:39PM -0400, Gabriel Krisman Bertazi wrote:
On Thu, Jul 16, 2020 at 01:04:38PM -0700, Kees Cook wrote:
> On Thu, Jul 16, 2020 at 03:31:39PM -0400, Gabriel Krisman Bertazi wrote:
> > This is v4 of Syscall User Redirection. The implementation itself is
> > not modified from v3, it only applies the latest round of reviews to the
> >
> > Reported-by: syzbot
> > Signed-off-by: Tetsuo Handa
>
> Reviewed-by: Michal Hocko
Thanks for the careful review Michal!
Does this need a Cc: stable?
Otherwise
Acked-by: Christian Brauner
Thanks!
Christian
On Wed, Jul 15, 2020 at 04:49:52PM +0200, Adrian Reber wrote:
> Opening files in /proc/pid/map_files when the current user is
> CAP_CHECKPOINT_RESTORE capable in the root namespace is useful for
> checkpointing and restoring to recover files that are unreachable via
> the file system such as
On Wed, Jul 15, 2020 at 11:10:47AM -0400, Mathieu Desnoyers wrote:
> - On Jul 15, 2020, at 8:33 AM, Christian Brauner
> christian.brau...@ubuntu.com wrote:
> [...]
> >
> > So here's a very free-wheeling draft of roughly what I had in mind. Not
> > even compile-tes
On Wed, Jul 15, 2020 at 04:49:54PM +0200, Adrian Reber wrote:
> This adds a test that changes its UID, uses capabilities to
> get CAP_CHECKPOINT_RESTORE and uses clone3() with set_tid to
> create a process with a given PID as non-root.
>
> Signed-off-by: Adrian Reber
> Acked-by: Serge Hallyn
>
On Wed, Jul 15, 2020 at 04:49:53PM +0200, Adrian Reber wrote:
> From: Nicolas Viennot
>
> Allow CAP_CHECKPOINT_RESTORE capable users to change /proc/self/exe.
>
> This commit also changes the permission error code from -EINVAL to
> -EPERM for consistency with the rest of the prctl() syscall
On Wed, Jul 15, 2020 at 04:49:50PM +0200, Adrian Reber wrote:
> Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
> using clone3() with set_tid set.
>
> Signed-off-by: Adrian Reber
> Signed-off-by: Nicolas Viennot
> ---
Looks good!
Acked-by: Christian B
On Wed, Jul 15, 2020 at 04:49:51PM +0200, Adrian Reber wrote:
> Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
> writing to ns_last_pid.
>
> Signed-off-by: Adrian Reber
> Signed-off-by: Nicolas Viennot
> ---
Acked-by: Christian Brauner
, or
> memfd
> files.
>
> See corresponding selftest for an example with clone3().
>
> Signed-off-by: Adrian Reber
> Signed-off-by: Nicolas Viennot
> ---
Thanks!
This looks good now.
Acked-by: Christian Brauner
> include/linux/capability.h | 6 ++
>
On Wed, Jul 15, 2020 at 03:42:11PM +0200, Florian Weimer wrote:
> * Mathieu Desnoyers:
>
> > So indeed it could be done today without upgrading the toolchains by
> > writing custom assembler for each architecture to get the thread's
> > struct rseq. AFAIU the ABI to access the thread pointer is
On Wed, Jul 15, 2020 at 01:38:51PM +0200, Christian Brauner wrote:
> On Mon, Jul 13, 2020 at 11:03:46PM -0400, Mathieu Desnoyers wrote:
> > Add a __rseq_abi.flags "RSEQ_TLS_FLAG_SIZE", which indicates support for
> > extending struct rseq. This adds two new fields to s
On Mon, Jul 13, 2020 at 11:03:46PM -0400, Mathieu Desnoyers wrote:
> Add a __rseq_abi.flags "RSEQ_TLS_FLAG_SIZE", which indicates support for
> extending struct rseq. This adds two new fields to struct rseq:
> user_size and kernel_size.
>
> The user_size field allows the size of the __rseq_abi
On Tue, Jul 14, 2020 at 06:14:15PM +0200, Christian Brauner wrote:
> This implements the mount_setattr() syscall. While the new mount api
> allows to change the properties of a superblock there is currently no
> way to change the mount properties of a mount or mount tree using mou
On Wed, Jul 15, 2020 at 08:31:05AM +0200, Florian Weimer wrote:
> * Chris Kennelly:
>
> > When glibc provides registration, is the anticipated use case that a
> > library would unregister and reregister each thread to "upgrade" it to
> > the most modern version of interface it knows about
o bind mounts: honor mount writer counts
at remount")
Cc: Al Viro
Cc: David Howells
Cc: linux-fsde...@vger.kernel.org
Signed-off-by: Christian Brauner
---
fs/namespace.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
i
Signed-off-by: Christian Brauner
---
man2/mount_setattr.2 | 296 +++
1 file changed, 296 insertions(+)
create mode 100644 man2/mount_setattr.2
diff --git a/man2/mount_setattr.2 b/man2/mount_setattr.2
new file mode 100644
index 0..aae10525e
. Manpage and selftests included.
[1]: https://lore.kernel.org/lkml/20200518144212.xpfjlajgwzwhlq7r@wittgenstein/
[2]:
https://lore.kernel.org/lkml/CAKgNAkioH1z-pVimHziWP=ztybgcowoc7ekwgfwzaz1fpyg...@mail.gmail.com/
[3]: https://github.com/moby/moby/issues/37838
Thanks!
Christian
Christian
] mount_setattr.wrong_user_namespace
[ RUN ] mount_setattr.wrong_mount_namespace
[ OK ] mount_setattr.wrong_mount_namespace
[==] 9 / 9 tests passed.
[ PASSED ]
Cc: Al Viro
Cc: David Howells
Cc: linux-fsde...@vger.kernel.org
Signed-off-by: Christian Brauner
---
tools/testing/selftests
once when changing mount properties. This simplifies
the locking in these codepath, makes them easier to reason about and
avoids having to reacquire the lock right after dropping it.
Cc: Al Viro
Cc: David Howells
Cc: linux-fsde...@vger.kernel.org
Signed-off-by: Christian Brauner
---
fs
.
[1]: commit 2e4b7fcd9260 ("[PATCH] r/o bind mounts: honor mount writer counts
at remount")
Cc: David Howells
Cc: Aleksa Sarai
Cc: Al Viro
Cc: linux-...@vger.kernel.org
Cc: linux-fsde...@vger.kernel.org
Signed-off-by: Christian Brauner
---
arch/alpha/kernel/syscalls/syscall.tbl
Reviewed-by: Tycho Andersen
> Signed-off-by: Kees Cook
> ---
Acked-by: Christian Brauner
NFIG_USER_NS (and add to "config" since we'd prefer to actually test
> this case).
>
> Signed-off-by: Kees Cook
> ---
Just a comment, otherwise:
Acked-by: Christian Brauner
> tools/testing/selftests/seccomp/config| 1 +
> tools/testing/selftests/seccomp/seccomp_bpf
On Thu, Jul 09, 2020 at 11:15:57AM -0400, Mathieu Desnoyers wrote:
> - On Jul 9, 2020, at 8:49 AM, Christian Brauner
> christian.brau...@ubuntu.com wrote:
>
> > On Wed, Jul 08, 2020 at 01:34:48PM -0400, Mathieu Desnoyers wrote:
> >> - On Jul 8, 2020, at 12:
On Fri, Jul 10, 2020 at 08:28:03AM +0200, Greg KH wrote:
> On Thu, Jul 09, 2020 at 11:41:47AM -0700, Nick Desaulniers wrote:
> > Hello folks,
> > I'm working on putting together an LLVM "Micro Conference" for the
> > upcoming Linux Plumbers Conf
> >
On Fri, Jul 10, 2020 at 07:58:36AM -0400, Qian Cai wrote:
> On Thu, Jun 18, 2020 at 10:45:43AM +0200, Christian Brauner wrote:
> > Add an ioctl() to return the PID of the init process/child reaper of a pid
> > namespace as seen in the caller's pid namespace.
> >
>
vger.kernel.org
> Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set
> correctly")
> Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set
> correctly")
> Signed-off-by: Kees Cook
> ---
Thanks!
Acked-by: Christian Brauner
301 - 400 of 2432 matches
Mail list logo