Re: call_usermodehelper in containers

On Fri, 2016-03-25 at 02:28 +0100, Oleg Nesterov wrote: > Hi Ian, > > I can't really recall this old discussion, so I can be easily wrong... > > On 03/24, Ian Kent wrote: > > > > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > > > > > > IOW. Please the the "patch" below. It is

Re: call_usermodehelper in containers

On Fri, 2016-03-25 at 02:28 +0100, Oleg Nesterov wrote: > Hi Ian, > > I can't really recall this old discussion, so I can be easily wrong... > > On 03/24, Ian Kent wrote: > > > > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > > > > > > IOW. Please the the "patch" below. It is

Re: call_usermodehelper in containers

Hi Ian, I can't really recall this old discussion, so I can be easily wrong... On 03/24, Ian Kent wrote: > > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > > > > IOW. Please the the "patch" below. It is obviously incomplete and > > wrong, > > and it can be more clear/clean. And

Re: call_usermodehelper in containers

Hi Ian, I can't really recall this old discussion, so I can be easily wrong... On 03/24, Ian Kent wrote: > > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > > > > IOW. Please the the "patch" below. It is obviously incomplete and > > wrong, > > and it can be more clear/clean. And

Re: call_usermodehelper in containers

On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > On 11/15, Eric W. Biederman wrote: > > > > I don't understand that one. Having a preforked thread with the > > proper > > environment that can act like kthreadd in terms of spawning user > > mode > > helpers works and is simple. > >

Re: call_usermodehelper in containers

On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > On 11/15, Eric W. Biederman wrote: > > > > I don't understand that one. Having a preforked thread with the > > proper > > environment that can act like kthreadd in terms of spawning user > > mode > > helpers works and is simple. > >

Re: call_usermodehelper in containers

On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote: > On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > > You know, wrt. the mechanism Oleg suggested, I've been wondering if > > it's > > even necessary to capture process template information for > > execution. > > > > Isn't the

Re: call_usermodehelper in containers

On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote: > On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > > You know, wrt. the mechanism Oleg suggested, I've been wondering if > > it's > > even necessary to capture process template information for > > execution. > > > > Isn't the

Re: call_usermodehelper in containers

On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > You know, wrt. the mechanism Oleg suggested, I've been wondering if it's > even necessary to capture process template information for execution. > > Isn't the main issue the execution of unknown arbitrary objects getting > access to a

Re: call_usermodehelper in containers

On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > You know, wrt. the mechanism Oleg suggested, I've been wondering if it's > even necessary to capture process template information for execution. > > Isn't the main issue the execution of unknown arbitrary objects getting > access to a

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 13:14 +0800, Ian Kent wrote: > On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote: > > Ian Kent writes: > > > > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > > > > On

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 13:14 +0800, Ian Kent wrote: > On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote: > > Ian Kent writes: > > > > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > > > > On 2016/02/18 11:57,

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 18:30 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/19 14:37, Ian Kent wrote: > > On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: > > > On 2016/02/19 5:45, Eric W. Biederman wrote: > > > > Personally I am a fan of the don't be clever and capture a > > > > kernel >

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 18:30 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/19 14:37, Ian Kent wrote: > > On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: > > > On 2016/02/19 5:45, Eric W. Biederman wrote: > > > > Personally I am a fan of the don't be clever and capture a > > > > kernel >

Re: call_usermodehelper in containers

On 2016/02/19 14:37, Ian Kent wrote: On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: On 2016/02/19 5:45, Eric W. Biederman wrote: Personally I am a fan of the don't be clever and capture a kernel thread approach as it is very easy to see you what if any exploitation opportunities

Re: call_usermodehelper in containers

On 2016/02/19 14:37, Ian Kent wrote: On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: On 2016/02/19 5:45, Eric W. Biederman wrote: Personally I am a fan of the don't be clever and capture a kernel thread approach as it is very easy to see you what if any exploitation opportunities

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/19 5:45, Eric W. Biederman wrote: > > Personally I am a fan of the don't be clever and capture a kernel > > thread > > approach as it is very easy to see you what if any exploitation > > opportunities there are. The

Re: call_usermodehelper in containers

On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/19 5:45, Eric W. Biederman wrote: > > Personally I am a fan of the don't be clever and capture a kernel > > thread > > approach as it is very easy to see you what if any exploitation > > opportunities there are. The

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote: > Ian Kent writes: > > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > > > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > > > > > > >

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote: > Ian Kent writes: > > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > > > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > > > > > > > Ccing The

Re: call_usermodehelper in containers

On 2016/02/19 5:45, Eric W. Biederman wrote: > Personally I am a fan of the don't be clever and capture a kernel thread > approach as it is very easy to see you what if any exploitation > opportunities there are. The justifications for something more clever > is trickier. Of course we do

Re: call_usermodehelper in containers

On 2016/02/19 5:45, Eric W. Biederman wrote: > Personally I am a fan of the don't be clever and capture a kernel thread > approach as it is very easy to see you what if any exploitation > opportunities there are. The justifications for something more clever > is trickier. Of course we do

Re: call_usermodehelper in containers

Ian Kent writes: > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: >> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: >> > On 2016/02/18 11:57, Eric W. Biederman wrote: >> > > >> > > Ccing The containers list because a related discussion is >> > > happening >> >

Re: call_usermodehelper in containers

Ian Kent writes: > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: >> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: >> > On 2016/02/18 11:57, Eric W. Biederman wrote: >> > > >> > > Ccing The containers list because a related discussion is >> > > happening >> > > there >> > >

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > > > Ccing The containers list because a related discussion is > > > happening > > > there > > > and somehow this thread has

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote: > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > > > Ccing The containers list because a related discussion is > > > happening > > > there > > > and somehow this thread has

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > Ccing The containers list because a related discussion is happening > > there > > and somehow this thread has never made it there. > > > > Ian Kent writes: > >

Re: call_usermodehelper in containers

On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote: > On 2016/02/18 11:57, Eric W. Biederman wrote: > > > > Ccing The containers list because a related discussion is happening > > there > > and somehow this thread has never made it there. > > > > Ian Kent writes: > > > > > On Mon,

Re: call_usermodehelper in containers

On 2016/02/18 11:57, Eric W. Biederman wrote: > > Ccing The containers list because a related discussion is happening there > and somehow this thread has never made it there. > > Ian Kent writes: > >> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: >>> On 11/15, Eric

Re: call_usermodehelper in containers

On 2016/02/18 11:57, Eric W. Biederman wrote: > > Ccing The containers list because a related discussion is happening there > and somehow this thread has never made it there. > > Ian Kent writes: > >> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: >>> On 11/15, Eric W. Biederman

Re: call_usermodehelper in containers

Ian Kent writes: > AFAICS kernel/kmod.c used to use create_singlethread_workqueue() and > queue_work() to perform umh calls, now it uses only queue_work() and > the system_unbound_wq workqueue. > > Looking at the workqueue sub system there doesn't appear to be a way to >

Re: call_usermodehelper in containers

Ian Kent writes: > AFAICS kernel/kmod.c used to use create_singlethread_workqueue() and > queue_work() to perform umh calls, now it uses only queue_work() and > the system_unbound_wq workqueue. > > Looking at the workqueue sub system there doesn't appear to be a way to > create a workqueue with

Re: call_usermodehelper in containers

Ccing The containers list because a related discussion is happening there and somehow this thread has never made it there. Ian Kent writes: > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: >> On 11/15, Eric W. Biederman wrote: >> > >> > I don't understand that one.

Re: call_usermodehelper in containers

Ccing The containers list because a related discussion is happening there and somehow this thread has never made it there. Ian Kent writes: > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: >> On 11/15, Eric W. Biederman wrote: >> > >> > I don't understand that one. Having a

Re: call_usermodehelper in containers

> > > > > > 12.11.2013 15:12, Jeff Layton пишет: > > > > > > > > On Mon, 11 Nov 2013 16:47:03 -0800 > > > > > > > > Greg KH <gre...@linuxfoundation.org> wrote: > > > > > > > > > > > > > &

Re: call_usermodehelper in containers

т: > > > > > > > > On Mon, 11 Nov 2013 16:47:03 -0800 > > > > > > > > Greg KH wrote: > > > > > > > > > > > > > > > > > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layt

Re: call_usermodehelper in containers

, Jeff Layton пишет: On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly

Re: call_usermodehelper in containers

bursky <skinsbur...@parallels.com> wrote: 12.11.2013 15:12, Jeff Layton пишет: On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH <gre...@linuxfoundation.org> wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use c

Re: call_usermodehelper in containers

gt; > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton > > > > > > > wrote: > > > > > > > > We have a bit of a problem wrt to upcalls that use > > > > > > > > call_usermodehelper > > > > > > > > with containe

Re: call_usermodehelper in containers

nuxfoundation.org> wrote: > > > > > > > > > > > > > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton > > > > > > > wrote: > > > > > > > > We have a bit of a problem wrt to upcalls that use > > > > > > >

Re: call_usermodehelper in containers

On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > On 11/15, Eric W. Biederman wrote: > > > > I don't understand that one. Having a preforked thread with the > > proper > > environment that can act like kthreadd in terms of spawning user > > mode > > helpers works and is simple. Forgive

Re: call_usermodehelper in containers

On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote: > On 11/15, Eric W. Biederman wrote: > > > > I don't understand that one. Having a preforked thread with the > > proper > > environment that can act like kthreadd in terms of spawning user > > mode > > helpers works and is simple. Forgive

Re: call_usermodehelper in containers

On Mon, 18 Nov 2013 19:02:59 +0100 Oleg Nesterov wrote: > On 11/18, Oleg Nesterov wrote: > > > > On 11/15, Eric W. Biederman wrote: > > > > > > I don't understand that one. Having a preforked thread with the proper > > > environment that can act like kthreadd in terms of spawning user mode > >

Re: call_usermodehelper in containers

On Mon, 18 Nov 2013 19:02:59 +0100 Oleg Nesterov o...@redhat.com wrote: On 11/18, Oleg Nesterov wrote: On 11/15, Eric W. Biederman wrote: I don't understand that one. Having a preforked thread with the proper environment that can act like kthreadd in terms of spawning user mode

Re: call_usermodehelper in containers

On 11/18, Oleg Nesterov wrote: > > On 11/15, Eric W. Biederman wrote: > > > > I don't understand that one. Having a preforked thread with the proper > > environment that can act like kthreadd in terms of spawning user mode > > helpers works and is simple. > > Can't we ask ->child_reaper to create

Re: call_usermodehelper in containers

On 11/15, Eric W. Biederman wrote: > > I don't understand that one. Having a preforked thread with the proper > environment that can act like kthreadd in terms of spawning user mode > helpers works and is simple. Can't we ask ->child_reaper to create the non-daemonized kernel thread with the

Re: call_usermodehelper in containers

On 11/15, Eric W. Biederman wrote: I don't understand that one. Having a preforked thread with the proper environment that can act like kthreadd in terms of spawning user mode helpers works and is simple. Can't we ask -child_reaper to create the non-daemonized kernel thread with the right

Re: call_usermodehelper in containers

On 11/18, Oleg Nesterov wrote: On 11/15, Eric W. Biederman wrote: I don't understand that one. Having a preforked thread with the proper environment that can act like kthreadd in terms of spawning user mode helpers works and is simple. Can't we ask -child_reaper to create the

Re: call_usermodehelper in containers

:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses

Re: call_usermodehelper in containers

e: >>>> >>>>> On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: >>>>>> We have a bit of a problem wrt to upcalls that use call_usermodehelper >>>>>> with containers and I'd like to bring this to some sort of resolution... >&g

Re: call_usermodehelper in containers

to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper to run a program in userland to track some information on stable storage

Re: call_usermodehelper in containers

Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper to run a program

Re: call_usermodehelper in containers

wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall

Re: call_usermodehelper in containers

-0800 Greg KH gre...@linuxfoundation.org wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though

Re: call_usermodehelper in containers

, Jeff Layton wrote: >> >>> We have a bit of a problem wrt to upcalls that use call_usermodehelper >> >>> with containers and I'd like to bring this to some sort of resolution... >> >>> >> >>> A particularly problematic case (though

Re: call_usermodehelper in containers

, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper

Re: call_usermodehelper in containers

a bit of a problem wrt to upcalls that use call_usermodehelper > >>> with containers and I'd like to bring this to some sort of resolution... > >>> > >>> A particularly problematic case (though there are others) is the > >>> nfsdcltrack upcall. It basic

Re: call_usermodehelper in containers

12.11.2013 15:12, Jeff Layton пишет: On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution

Re: call_usermodehelper in containers

On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH wrote: > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: > > We have a bit of a problem wrt to upcalls that use call_usermodehelper > > with containers and I'd like to bring this to some sort of resolution... > >

Re: call_usermodehelper in containers

On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH gre...@linuxfoundation.org wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution

Re: call_usermodehelper in containers

12.11.2013 15:12, Jeff Layton пишет: On Mon, 11 Nov 2013 16:47:03 -0800 Greg KH gre...@linuxfoundation.org wrote: On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring

Re: call_usermodehelper in containers

of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper to run a program in userland to track some

Re: call_usermodehelper in containers

On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: > We have a bit of a problem wrt to upcalls that use call_usermodehelper > with containers and I'd like to bring this to some sort of resolution... > > A particularly problematic case (though there are others) is the &

Re: [Devel] call_usermodehelper in containers

On Mon, 11 Nov 2013 16:43:21 +0400 Vasily Kulikov wrote: > Hi Jeff, > > On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote: > > What's the correct approach to fix this? One possibility would be to > > keep a kernel thread around that sits in the correct namespace(s) and > > has the right

Re: [Devel] call_usermodehelper in containers

Hi Jeff, On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote: > What's the correct approach to fix this? One possibility would be to > keep a kernel thread around that sits in the correct namespace(s) and > has the right privileges, and then use that to launch UMH programs. > That thread could

call_usermodehelper in containers

We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper to run a program in userland

call_usermodehelper in containers

We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall. It basically uses call_usermodehelper to run a program in userland

Re: [Devel] call_usermodehelper in containers

Hi Jeff, On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote: What's the correct approach to fix this? One possibility would be to keep a kernel thread around that sits in the correct namespace(s) and has the right privileges, and then use that to launch UMH programs. That thread could be

Re: [Devel] call_usermodehelper in containers

On Mon, 11 Nov 2013 16:43:21 +0400 Vasily Kulikov seg...@openwall.com wrote: Hi Jeff, On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote: What's the correct approach to fix this? One possibility would be to keep a kernel thread around that sits in the correct namespace(s) and has

Re: call_usermodehelper in containers

On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote: We have a bit of a problem wrt to upcalls that use call_usermodehelper with containers and I'd like to bring this to some sort of resolution... A particularly problematic case (though there are others) is the nfsdcltrack upcall