On Fri, 2016-03-25 at 02:28 +0100, Oleg Nesterov wrote:
> Hi Ian,
>
> I can't really recall this old discussion, so I can be easily wrong...
>
> On 03/24, Ian Kent wrote:
> >
> > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> > >
> > > IOW. Please the the "patch" below. It is
On Fri, 2016-03-25 at 02:28 +0100, Oleg Nesterov wrote:
> Hi Ian,
>
> I can't really recall this old discussion, so I can be easily wrong...
>
> On 03/24, Ian Kent wrote:
> >
> > On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> > >
> > > IOW. Please the the "patch" below. It is
Hi Ian,
I can't really recall this old discussion, so I can be easily wrong...
On 03/24, Ian Kent wrote:
>
> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> >
> > IOW. Please the the "patch" below. It is obviously incomplete and
> > wrong,
> > and it can be more clear/clean. And
Hi Ian,
I can't really recall this old discussion, so I can be easily wrong...
On 03/24, Ian Kent wrote:
>
> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> >
> > IOW. Please the the "patch" below. It is obviously incomplete and
> > wrong,
> > and it can be more clear/clean. And
On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the
> > proper
> > environment that can act like kthreadd in terms of spawning user
> > mode
> > helpers works and is simple.
>
>
On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the
> > proper
> > environment that can act like kthreadd in terms of spawning user
> > mode
> > helpers works and is simple.
>
>
On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote:
> On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote:
> > You know, wrt. the mechanism Oleg suggested, I've been wondering if
> > it's
> > even necessary to capture process template information for
> > execution.
> >
> > Isn't the
On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote:
> On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote:
> > You know, wrt. the mechanism Oleg suggested, I've been wondering if
> > it's
> > even necessary to capture process template information for
> > execution.
> >
> > Isn't the
On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote:
> You know, wrt. the mechanism Oleg suggested, I've been wondering if it's
> even necessary to capture process template information for execution.
>
> Isn't the main issue the execution of unknown arbitrary objects getting
> access to a
On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote:
> You know, wrt. the mechanism Oleg suggested, I've been wondering if it's
> even necessary to capture process template information for execution.
>
> Isn't the main issue the execution of unknown arbitrary objects getting
> access to a
On Fri, 2016-02-19 at 13:14 +0800, Ian Kent wrote:
> On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote:
> > Ian Kent writes:
> >
> > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > > > > On
On Fri, 2016-02-19 at 13:14 +0800, Ian Kent wrote:
> On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote:
> > Ian Kent writes:
> >
> > > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> > > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > > > > On 2016/02/18 11:57,
On Fri, 2016-02-19 at 18:30 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/19 14:37, Ian Kent wrote:
> > On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
> > > On 2016/02/19 5:45, Eric W. Biederman wrote:
> > > > Personally I am a fan of the don't be clever and capture a
> > > > kernel
>
On Fri, 2016-02-19 at 18:30 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/19 14:37, Ian Kent wrote:
> > On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
> > > On 2016/02/19 5:45, Eric W. Biederman wrote:
> > > > Personally I am a fan of the don't be clever and capture a
> > > > kernel
>
On 2016/02/19 14:37, Ian Kent wrote:
On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
On 2016/02/19 5:45, Eric W. Biederman wrote:
Personally I am a fan of the don't be clever and capture a kernel
thread
approach as it is very easy to see you what if any exploitation
opportunities
On 2016/02/19 14:37, Ian Kent wrote:
On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
On 2016/02/19 5:45, Eric W. Biederman wrote:
Personally I am a fan of the don't be clever and capture a kernel
thread
approach as it is very easy to see you what if any exploitation
opportunities
On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/19 5:45, Eric W. Biederman wrote:
> > Personally I am a fan of the don't be clever and capture a kernel
> > thread
> > approach as it is very easy to see you what if any exploitation
> > opportunities there are. The
On Fri, 2016-02-19 at 12:08 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/19 5:45, Eric W. Biederman wrote:
> > Personally I am a fan of the don't be clever and capture a kernel
> > thread
> > approach as it is very easy to see you what if any exploitation
> > opportunities there are. The
On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote:
> Ian Kent writes:
>
> > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > > > On 2016/02/18 11:57, Eric W. Biederman wrote:
> > > > >
> > > > >
On Thu, 2016-02-18 at 14:45 -0600, Eric W. Biederman wrote:
> Ian Kent writes:
>
> > On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> > > On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > > > On 2016/02/18 11:57, Eric W. Biederman wrote:
> > > > >
> > > > > Ccing The
On 2016/02/19 5:45, Eric W. Biederman wrote:
> Personally I am a fan of the don't be clever and capture a kernel thread
> approach as it is very easy to see you what if any exploitation
> opportunities there are. The justifications for something more clever
> is trickier. Of course we do
On 2016/02/19 5:45, Eric W. Biederman wrote:
> Personally I am a fan of the don't be clever and capture a kernel thread
> approach as it is very easy to see you what if any exploitation
> opportunities there are. The justifications for something more clever
> is trickier. Of course we do
Ian Kent writes:
> On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
>> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
>> > On 2016/02/18 11:57, Eric W. Biederman wrote:
>> > >
>> > > Ccing The containers list because a related discussion is
>> > > happening
>> >
Ian Kent writes:
> On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
>> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
>> > On 2016/02/18 11:57, Eric W. Biederman wrote:
>> > >
>> > > Ccing The containers list because a related discussion is
>> > > happening
>> > > there
>> > >
On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > On 2016/02/18 11:57, Eric W. Biederman wrote:
> > >
> > > Ccing The containers list because a related discussion is
> > > happening
> > > there
> > > and somehow this thread has
On Thu, 2016-02-18 at 14:36 +0800, Ian Kent wrote:
> On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> > On 2016/02/18 11:57, Eric W. Biederman wrote:
> > >
> > > Ccing The containers list because a related discussion is
> > > happening
> > > there
> > > and somehow this thread has
On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/18 11:57, Eric W. Biederman wrote:
> >
> > Ccing The containers list because a related discussion is happening
> > there
> > and somehow this thread has never made it there.
> >
> > Ian Kent writes:
> >
On Thu, 2016-02-18 at 12:43 +0900, Kamezawa Hiroyuki wrote:
> On 2016/02/18 11:57, Eric W. Biederman wrote:
> >
> > Ccing The containers list because a related discussion is happening
> > there
> > and somehow this thread has never made it there.
> >
> > Ian Kent writes:
> >
> > > On Mon,
On 2016/02/18 11:57, Eric W. Biederman wrote:
>
> Ccing The containers list because a related discussion is happening there
> and somehow this thread has never made it there.
>
> Ian Kent writes:
>
>> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
>>> On 11/15, Eric
On 2016/02/18 11:57, Eric W. Biederman wrote:
>
> Ccing The containers list because a related discussion is happening there
> and somehow this thread has never made it there.
>
> Ian Kent writes:
>
>> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
>>> On 11/15, Eric W. Biederman
Ian Kent writes:
> AFAICS kernel/kmod.c used to use create_singlethread_workqueue() and
> queue_work() to perform umh calls, now it uses only queue_work() and
> the system_unbound_wq workqueue.
>
> Looking at the workqueue sub system there doesn't appear to be a way to
>
Ian Kent writes:
> AFAICS kernel/kmod.c used to use create_singlethread_workqueue() and
> queue_work() to perform umh calls, now it uses only queue_work() and
> the system_unbound_wq workqueue.
>
> Looking at the workqueue sub system there doesn't appear to be a way to
> create a workqueue with
Ccing The containers list because a related discussion is happening there
and somehow this thread has never made it there.
Ian Kent writes:
> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
>> On 11/15, Eric W. Biederman wrote:
>> >
>> > I don't understand that one.
Ccing The containers list because a related discussion is happening there
and somehow this thread has never made it there.
Ian Kent writes:
> On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
>> On 11/15, Eric W. Biederman wrote:
>> >
>> > I don't understand that one. Having a
> > > > > > 12.11.2013 15:12, Jeff Layton пишет:
> > > > > > > > On Mon, 11 Nov 2013 16:47:03 -0800
> > > > > > > > Greg KH <gre...@linuxfoundation.org> wrote:
> > > > > > > >
> > > > > &
т:
> > > > > > > > On Mon, 11 Nov 2013 16:47:03 -0800
> > > > > > > > Greg KH wrote:
> > > > > > > >
> > > > > > > > > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layt
, Jeff Layton пишет:
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton
wrote:
We have a bit of a problem wrt to upcalls that use
call_usermodehelper
with containers and I'd like to bring this to some sort
of resolution...
A particularly
bursky <skinsbur...@parallels.com> wrote:
12.11.2013 15:12, Jeff Layton пишет:
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH <gre...@linuxfoundation.org> wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton
wrote:
We have a bit of a problem wrt to upcalls that use
c
gt; > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton
> > > > > > > wrote:
> > > > > > > > We have a bit of a problem wrt to upcalls that use
> > > > > > > > call_usermodehelper
> > > > > > > > with containe
nuxfoundation.org> wrote:
> > > > > >
> > > > > > > On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton
> > > > > > > wrote:
> > > > > > > > We have a bit of a problem wrt to upcalls that use
> > > > > > >
On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the
> > proper
> > environment that can act like kthreadd in terms of spawning user
> > mode
> > helpers works and is simple.
Forgive
On Mon, 2013-11-18 at 18:28 +0100, Oleg Nesterov wrote:
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the
> > proper
> > environment that can act like kthreadd in terms of spawning user
> > mode
> > helpers works and is simple.
Forgive
On Mon, 18 Nov 2013 19:02:59 +0100
Oleg Nesterov wrote:
> On 11/18, Oleg Nesterov wrote:
> >
> > On 11/15, Eric W. Biederman wrote:
> > >
> > > I don't understand that one. Having a preforked thread with the proper
> > > environment that can act like kthreadd in terms of spawning user mode
> >
On Mon, 18 Nov 2013 19:02:59 +0100
Oleg Nesterov o...@redhat.com wrote:
On 11/18, Oleg Nesterov wrote:
On 11/15, Eric W. Biederman wrote:
I don't understand that one. Having a preforked thread with the proper
environment that can act like kthreadd in terms of spawning user mode
On 11/18, Oleg Nesterov wrote:
>
> On 11/15, Eric W. Biederman wrote:
> >
> > I don't understand that one. Having a preforked thread with the proper
> > environment that can act like kthreadd in terms of spawning user mode
> > helpers works and is simple.
>
> Can't we ask ->child_reaper to create
On 11/15, Eric W. Biederman wrote:
>
> I don't understand that one. Having a preforked thread with the proper
> environment that can act like kthreadd in terms of spawning user mode
> helpers works and is simple.
Can't we ask ->child_reaper to create the non-daemonized kernel thread
with the
On 11/15, Eric W. Biederman wrote:
I don't understand that one. Having a preforked thread with the proper
environment that can act like kthreadd in terms of spawning user mode
helpers works and is simple.
Can't we ask -child_reaper to create the non-daemonized kernel thread
with the right
On 11/18, Oleg Nesterov wrote:
On 11/15, Eric W. Biederman wrote:
I don't understand that one. Having a preforked thread with the proper
environment that can act like kthreadd in terms of spawning user mode
helpers works and is simple.
Can't we ask -child_reaper to create the
:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses
e:
>>>>
>>>>> On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
>>>>>> We have a bit of a problem wrt to upcalls that use call_usermodehelper
>>>>>> with containers and I'd like to bring this to some sort of resolution...
>&g
to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper to run a
program in userland to track some information on stable storage
Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper to run a
program
wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall
-0800
Greg KH gre...@linuxfoundation.org wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though
, Jeff Layton wrote:
>> >>> We have a bit of a problem wrt to upcalls that use call_usermodehelper
>> >>> with containers and I'd like to bring this to some sort of resolution...
>> >>>
>> >>> A particularly problematic case (though
, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper
a bit of a problem wrt to upcalls that use call_usermodehelper
> >>> with containers and I'd like to bring this to some sort of resolution...
> >>>
> >>> A particularly problematic case (though there are others) is the
> >>> nfsdcltrack upcall. It basic
12.11.2013 15:12, Jeff Layton пишет:
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH wrote:
> On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
> > We have a bit of a problem wrt to upcalls that use call_usermodehelper
> > with containers and I'd like to bring this to some sort of resolution...
> >
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH gre...@linuxfoundation.org wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution
12.11.2013 15:12, Jeff Layton пишет:
On Mon, 11 Nov 2013 16:47:03 -0800
Greg KH gre...@linuxfoundation.org wrote:
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring
of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper to run a
program in userland to track some
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
> We have a bit of a problem wrt to upcalls that use call_usermodehelper
> with containers and I'd like to bring this to some sort of resolution...
>
> A particularly problematic case (though there are others) is the
&
On Mon, 11 Nov 2013 16:43:21 +0400
Vasily Kulikov wrote:
> Hi Jeff,
>
> On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote:
> > What's the correct approach to fix this? One possibility would be to
> > keep a kernel thread around that sits in the correct namespace(s) and
> > has the right
Hi Jeff,
On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote:
> What's the correct approach to fix this? One possibility would be to
> keep a kernel thread around that sits in the correct namespace(s) and
> has the right privileges, and then use that to launch UMH programs.
> That thread could
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper to run a
program in userland
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall. It basically uses call_usermodehelper to run a
program in userland
Hi Jeff,
On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote:
What's the correct approach to fix this? One possibility would be to
keep a kernel thread around that sits in the correct namespace(s) and
has the right privileges, and then use that to launch UMH programs.
That thread could be
On Mon, 11 Nov 2013 16:43:21 +0400
Vasily Kulikov seg...@openwall.com wrote:
Hi Jeff,
On Mon, Nov 11, 2013 at 07:18 -0500, Jeff Layton wrote:
What's the correct approach to fix this? One possibility would be to
keep a kernel thread around that sits in the correct namespace(s) and
has
On Mon, Nov 11, 2013 at 07:18:25AM -0500, Jeff Layton wrote:
We have a bit of a problem wrt to upcalls that use call_usermodehelper
with containers and I'd like to bring this to some sort of resolution...
A particularly problematic case (though there are others) is the
nfsdcltrack upcall
70 matches
Mail list logo