首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

userns,pidns: Force thread group sharing, not signal handler sharing.

The code that places signals in signal queues computes the uids, gids,
and pids at the time the signals are enqueued.  Which means that tasks
that share signal queues must be in the same pid and user namespaces.

Sharing signal handlers is fine, but bizarre.

So make the code in fork and userns_install clearer by only testing
for what is functionally necessary.

Also update the comment in unshare about unsharing a user namespace to
be a little more explicit and make a little more sense.

Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman 10 年之前
父节点
12c641ab82
当前提交
faf00da544
共有 2 个文件被更改,包括 6 次插入6 次删除
分列视图 显示文件统计
  1. 4 4
      kernel/fork.c
  2. 2 2
      kernel/user_namespace.c

+ 4 - 4
kernel/fork.c
查看文件 

@@ -1273,10 +1273,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
 
 
 	/*
 
 	 * If the new process will be in a different pid or user namespace
 
-	 * do not allow it to share a thread group or signal handlers or
 
-	 * parent with the forking task.
 
+	 * do not allow it to share a thread group with the forking task.
 
 	 */
 
-	if (clone_flags & CLONE_SIGHAND) {
 
+	if (clone_flags & CLONE_THREAD) {
 
 		if ((clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) ||
 
 		    (task_active_pid_ns(current) !=
 
 				current->nsproxy->pid_ns_for_children))
 
@@ -1944,7 +1943,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 
 	int err;
 
 
 	/*
 
-	 * If unsharing a user namespace must also unshare the thread.
 
+	 * If unsharing a user namespace must also unshare the thread group
 
+	 * and unshare the filesystem root and working directories.
 
 	 */
 
 	if (unshare_flags & CLONE_NEWUSER)
 
 		unshare_flags |= CLONE_THREAD | CLONE_FS;

+ 2 - 2
kernel/user_namespace.c
查看文件 

@@ -976,8 +976,8 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
 
 	if (user_ns == current_user_ns())
 
 		return -EINVAL;
 
 
-	/* Threaded processes may not enter a different user namespace */
 
-	if (atomic_read(&current->mm->mm_users) > 1)
 
+	/* Tasks that share a thread group must share a user namespace */
 
+	if (!thread_group_empty(current))
 
 		return -EINVAL;
 
 
 	if (current->fs->users != 1)