1. Patchew
  2. linux
  3. View series

[PATCH 0/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"

Andrei Vagin posted 2 patches 3 years, 6 months ago 
fs/exec.c                                   |  7 --
kernel/fork.c                               |  5 +-
kernel/nsproxy.c                            |  3 +-
tools/testing/selftests/timens/Makefile     |  2 +-
tools/testing/selftests/timens/vfork_exec.c | 90 ---------------------
5 files changed, 3 insertions(+), 104 deletions(-)
delete mode 100644 tools/testing/selftests/timens/vfork_exec.c
[PATCH 0/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
Posted by Andrei Vagin 3 years, 6 months ago 
This reverts commits:
133e2d3e81de ("fs/exec: allow to unshare a time namespace on vfork+exec")
6342140db660 ("selftests/timens: add a test for vfork+exit")

Alexey pointed out a few undesirable side effects of the reverted change.
First, it doesn't take into account that CLONE_VFORK can be used with
CLONE_THREAD. Second, a child process doesn't enter a target time name-space,
if its parent dies before the child calls exec. It happens because the parent
clears vfork_done.

Eric W. Biederman suggests installing a time namespace as a task gets a new mm.
It includes all new processes cloned without CLONE_VM and all tasks that call
exec(). This is an user API change, but we think there aren't users that depend
on the old behavior.

It is too late to make such changes in this release, so let's roll back
this patch and introduce the right one in the next release.

Andrei Vagin (2):
  Revert "selftests/timens: add a test for vfork+exit"
  Revert "fs/exec: allow to unshare a time namespace on vfork+exec"

 fs/exec.c                                   |  7 --
 kernel/fork.c                               |  5 +-
 kernel/nsproxy.c                            |  3 +-
 tools/testing/selftests/timens/Makefile     |  2 +-
 tools/testing/selftests/timens/vfork_exec.c | 90 ---------------------
 5 files changed, 3 insertions(+), 104 deletions(-)
 delete mode 100644 tools/testing/selftests/timens/vfork_exec.c

-- 
2.37.2.789.g6183377224-goog
Re: [PATCH 0/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
Posted by Kees Cook 3 years, 6 months ago 
On Tue, Sep 13, 2022 at 03:25:49AM -0700, Andrei Vagin wrote:
> This reverts commits:
> 133e2d3e81de ("fs/exec: allow to unshare a time namespace on vfork+exec")
> 6342140db660 ("selftests/timens: add a test for vfork+exit")
> 
> Alexey pointed out a few undesirable side effects of the reverted change.
> First, it doesn't take into account that CLONE_VFORK can be used with
> CLONE_THREAD. Second, a child process doesn't enter a target time name-space,
> if its parent dies before the child calls exec. It happens because the parent
> clears vfork_done.
> 
> Eric W. Biederman suggests installing a time namespace as a task gets a new mm.
> It includes all new processes cloned without CLONE_VM and all tasks that call
> exec(). This is an user API change, but we think there aren't users that depend
> on the old behavior.

Can we include that patch here as well?

> It is too late to make such changes in this release, so let's roll back
> this patch and introduce the right one in the next release.

Do you mean you'd like this revert to land for v6.0, and we should wait
for the new API for later?

-- 
Kees Cook
Re: [PATCH 0/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
Posted by Andrei Vagin 3 years, 6 months ago 
On Tue, Sep 13, 2022 at 5:18 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Sep 13, 2022 at 03:25:49AM -0700, Andrei Vagin wrote:
> > This reverts commits:
> > 133e2d3e81de ("fs/exec: allow to unshare a time namespace on vfork+exec")
> > 6342140db660 ("selftests/timens: add a test for vfork+exit")
> >
> > Alexey pointed out a few undesirable side effects of the reverted change.
> > First, it doesn't take into account that CLONE_VFORK can be used with
> > CLONE_THREAD. Second, a child process doesn't enter a target time name-space,
> > if its parent dies before the child calls exec. It happens because the parent
> > clears vfork_done.
> >
> > Eric W. Biederman suggests installing a time namespace as a task gets a new mm.
> > It includes all new processes cloned without CLONE_VM and all tasks that call
> > exec(). This is an user API change, but we think there aren't users that depend
> > on the old behavior.
>
> Can we include that patch here as well?

It is attached. I need to test it and then I will send it properly.

>
> > It is too late to make such changes in this release, so let's roll back
> > this patch and introduce the right one in the next release.
>
> Do you mean you'd like this revert to land for v6.0, and we should wait
> for the new API for later?

Yes, I mean this. I think we should merge the new patch in v6.1-rc1 so
it sits there for a while.

Thanks,
Andrei
Re: [PATCH 0/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
Posted by Kees Cook 3 years, 6 months ago 
On Tue, 13 Sep 2022 03:25:49 -0700, Andrei Vagin wrote:
> This reverts commits:
> 133e2d3e81de ("fs/exec: allow to unshare a time namespace on vfork+exec")
> 6342140db660 ("selftests/timens: add a test for vfork+exit")
> 
> Alexey pointed out a few undesirable side effects of the reverted change.
> First, it doesn't take into account that CLONE_VFORK can be used with
> CLONE_THREAD. Second, a child process doesn't enter a target time name-space,
> if its parent dies before the child calls exec. It happens because the parent
> clears vfork_done.
> 
> [...]

Applied to for-linus/execve, thanks!

[1/2] Revert "selftests/timens: add a test for vfork+exit"
      https://git.kernel.org/kees/c/2b1e8921fc35
[2/2] Revert "fs/exec: allow to unshare a time namespace on vfork+exec"
      https://git.kernel.org/kees/c/33a2d6bc3480

-- 
Kees Cook

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.