OpenVZ Forum


Home » Mailing lists » Devel » [PATCH] Fix capability.c to work with threaded init
[PATCH] Fix capability.c to work with threaded init [message #19546] Fri, 03 August 2007 06:26 Go to next message
Sukadev Bhattiprolu is currently offline  Sukadev Bhattiprolu
Messages: 413
Registered: August 2006
Senior Member
From: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Subject: [PATCH] Fix capability.c to work with threaded init

Callers of is_container_init() should pass in task->group_leader
to ensure they work with threaded-init.

Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
---
 kernel/capability.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: lx26-23-rc1-mm1/kernel/capability.c
===================================================================
--- lx26-23-rc1-mm1.orig/kernel/capability.c	2007-08-02 22:58:02.000000000 -0700
+++ lx26-23-rc1-mm1/kernel/capability.c	2007-08-02 22:58:17.000000000 -0700
@@ -137,7 +137,7 @@ static inline int cap_set_all(kernel_cap
      int found = 0;
 
      do_each_thread(g, target) {
-             if (target == current || is_container_init(target))
+             if (target == current || is_container_init(target->group_leader))
                      continue;
              found = 1;
 	     if (security_capset_check(target, effective, inheritable,
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Re: [PATCH] Fix capability.c to work with threaded init [message #19548 is a reply to message #19546] Fri, 03 August 2007 16:51 Go to previous messageGo to next message
Dave Hansen is currently offline  Dave Hansen
Messages: 240
Registered: October 2005
Senior Member
On Thu, 2007-08-02 at 23:26 -0700, sukadev@us.ibm.com wrote:
> 
> Callers of is_container_init() should pass in task->group_leader
> to ensure they work with threaded-init.

Can you explain this in a little more detail?  That's a pretty sparse
changelog.

-- Dave

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Re: [PATCH] Fix capability.c to work with threaded init [message #19550 is a reply to message #19546] Fri, 03 August 2007 20:51 Go to previous messageGo to next message
Sukadev Bhattiprolu is currently offline  Sukadev Bhattiprolu
Messages: 413
Registered: August 2006
Senior Member
Oleg Nesterov [oleg@tv-sign.ru] wrote:
| On 08/03, Dave Hansen wrote:
| >
| > On Thu, 2007-08-02 at 23:26 -0700, sukadev@us.ibm.com wrote:
| > > 
| > > Callers of is_container_init() should pass in task->group_leader
| > > to ensure they work with threaded-init.
| > 
| > Can you explain this in a little more detail?  That's a pretty sparse
| > changelog.
|

You are right. The changelog could be better. How about this:

| 
| Without this change cap_set_all() skips only the main thread of /sbin/init,
| but we should skip the entire process as the comment states.
| 
| Oleg.


---

From: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Subject: [PATCH] cap_set_all() must skip all threads of init

When setting capabilities, cap_set_all() must skip all threads of the
container_init process - not just the main thread. 

Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
---
 kernel/capability.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: lx26-23-rc1-mm1/kernel/capability.c
===================================================================
--- lx26-23-rc1-mm1.orig/kernel/capability.c	2007-08-02 22:58:02.000000000 -0700
+++ lx26-23-rc1-mm1/kernel/capability.c	2007-08-02 22:58:17.000000000 -0700
@@ -137,7 +137,7 @@ static inline int cap_set_all(kernel_cap
      int found = 0;
 
      do_each_thread(g, target) {
-             if (target == current || is_container_init(target))
+             if (target == current || is_container_init(target->group_leader))
                      continue;
              found = 1;
 	     if (security_capset_check(target, effective, inheritable,

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Re: [PATCH] Fix capability.c to work with threaded init [message #19553 is a reply to message #19548] Fri, 03 August 2007 17:29 Go to previous messageGo to next message
Oleg Nesterov is currently offline  Oleg Nesterov
Messages: 143
Registered: August 2006
Senior Member
On 08/03, Dave Hansen wrote:
>
> On Thu, 2007-08-02 at 23:26 -0700, sukadev@us.ibm.com wrote:
> > 
> > Callers of is_container_init() should pass in task->group_leader
> > to ensure they work with threaded-init.
> 
> Can you explain this in a little more detail?  That's a pretty sparse
> changelog.

Without this change cap_set_all() skips only the main thread of /sbin/init,
but we should skip the entire process as the comment states.

Oleg.

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Fw: Re: [PATCH] Fix capability.c to work with threaded init [message #19561 is a reply to message #19546] Tue, 07 August 2007 21:31 Go to previous messageGo to next message
Sukadev Bhattiprolu is currently offline  Sukadev Bhattiprolu
Messages: 413
Registered: August 2006
Senior Member
Hi Pavel,

This patch seems to be missing from your most recent patchset.
Do you want to include it in the set as a helper or should I
just send this to Andrew separately ?

Suka

----- Forwarded message from sukadev@us.ibm.com -----

| Date: Fri, 3 Aug 2007 13:51:20 -0700
| From: sukadev@us.ibm.com
| To: Oleg Nesterov <oleg@tv-sign.ru>
| Cc: Containers <containers@lists.osdl.org>, Pavel Emelianov <xemul@openvz.org>
| Subject: Re: [PATCH] Fix capability.c to work with threaded init
| 
| Oleg Nesterov [oleg@tv-sign.ru] wrote:
| | On 08/03, Dave Hansen wrote:
| | >
| | > On Thu, 2007-08-02 at 23:26 -0700, sukadev@us.ibm.com wrote:
| | > > 
| | > > Callers of is_container_init() should pass in task->group_leader
| | > > to ensure they work with threaded-init.
| | > 
| | > Can you explain this in a little more detail?  That's a pretty sparse
| | > changelog.
| |
| 
| You are right. The changelog could be better. How about this:
| 
| | 
| | Without this change cap_set_all() skips only the main thread of /sbin/init,
| | but we should skip the entire process as the comment states.
| | 
| | Oleg.
| 
| 
| ---
| 
| From: Sukadev Bhattiprolu <sukadev@us.ibm.com>
| Subject: [PATCH] cap_set_all() must skip all threads of init
| 
| When setting capabilities, cap_set_all() must skip all threads of the
| container_init process - not just the main thread. 
| 
| Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
| ---
|  kernel/capability.c |    2 +-
|  1 file changed, 1 insertion(+), 1 deletion(-)
| 
| Index: lx26-23-rc1-mm1/kernel/capability.c
| ===================================================================
| --- lx26-23-rc1-mm1.orig/kernel/capability.c	2007-08-02 22:58:02.000000000 -0700
| +++ lx26-23-rc1-mm1/kernel/capability.c	2007-08-02 22:58:17.000000000 -0700
| @@ -137,7 +137,7 @@ static inline int cap_set_all(kernel_cap
|       int found = 0;
| 
|       do_each_thread(g, target) {
| -             if (target == current || is_container_init(target))
| +             if (target == current || is_container_init(target->group_leader))
|                       continue;
|               found = 1;
|  	     if (security_capset_check(target, effective, inheritable,
| 
| _______________________________________________
| Containers mailing list
| Containers@lists.linux-foundation.org
| https://lists.linux-foundation.org/mailman/listinfo/containers

----- End forwarded message -----
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Re: Fw: Re: [PATCH] Fix capability.c to work with threaded init [message #19611 is a reply to message #19561] Wed, 08 August 2007 07:16 Go to previous message
Pavel Emelianov is currently offline  Pavel Emelianov
Messages: 1149
Registered: September 2006
Senior Member
sukadev@us.ibm.com wrote:
> Hi Pavel,
> 
> This patch seems to be missing from your most recent patchset.
> Do you want to include it in the set as a helper or should I
> just send this to Andrew separately ?

Well, AFAIS this is also relevant to current kernel, so I think
that if you send it to Andrew this will be just fine. Besides,
the pid namespaces patchset is already huge, so pushing patches
separately from it is also very good.

Thanks,
Pavel

> Suka
> 
> ----- Forwarded message from sukadev@us.ibm.com -----
> 
> | Date: Fri, 3 Aug 2007 13:51:20 -0700
> | From: sukadev@us.ibm.com
> | To: Oleg Nesterov <oleg@tv-sign.ru>
> | Cc: Containers <containers@lists.osdl.org>, Pavel Emelianov <xemul@openvz.org>
> | Subject: Re: [PATCH] Fix capability.c to work with threaded init
> | 
> | Oleg Nesterov [oleg@tv-sign.ru] wrote:
> | | On 08/03, Dave Hansen wrote:
> | | >
> | | > On Thu, 2007-08-02 at 23:26 -0700, sukadev@us.ibm.com wrote:
> | | > > 
> | | > > Callers of is_container_init() should pass in task->group_leader
> | | > > to ensure they work with threaded-init.
> | | > 
> | | > Can you explain this in a little more detail?  That's a pretty sparse
> | | > changelog.
> | |
> | 
> | You are right. The changelog could be better. How about this:
> | 
> | | 
> | | Without this change cap_set_all() skips only the main thread of /sbin/init,
> | | but we should skip the entire process as the comment states.
> | | 
> | | Oleg.
> | 
> | 
> | ---
> | 
> | From: Sukadev Bhattiprolu <sukadev@us.ibm.com>
> | Subject: [PATCH] cap_set_all() must skip all threads of init
> | 
> | When setting capabilities, cap_set_all() must skip all threads of the
> | container_init process - not just the main thread. 
> | 
> | Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
> | ---
> |  kernel/capability.c |    2 +-
> |  1 file changed, 1 insertion(+), 1 deletion(-)
> | 
> | Index: lx26-23-rc1-mm1/kernel/capability.c
> | ===================================================================
> | --- lx26-23-rc1-mm1.orig/kernel/capability.c	2007-08-02 22:58:02.000000000 -0700
> | +++ lx26-23-rc1-mm1/kernel/capability.c	2007-08-02 22:58:17.000000000 -0700
> | @@ -137,7 +137,7 @@ static inline int cap_set_all(kernel_cap
> |       int found = 0;
> | 
> |       do_each_thread(g, target) {
> | -             if (target == current || is_container_init(target))
> | +             if (target == current || is_container_init(target->group_leader))
> |                       continue;
> |               found = 1;
> |  	     if (security_capset_check(target, effective, inheritable,
> | 
> | _______________________________________________
> | Containers mailing list
> | Containers@lists.linux-foundation.org
> | https://lists.linux-foundation.org/mailman/listinfo/containers
> 
> ----- End forwarded message -----
> 

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
Previous Topic: [PATCH 20/20] Remove the struct pid unneeded fields
Next Topic: [PATCH 14/20] Allow cloning of new namespace
Goto Forum:
  


Current Time: Wed Sep 11 23:40:46 GMT 2024

Total time taken to generate the page: 0.05387 seconds