diff options
| author | Christian Brauner <christian.brauner@ubuntu.com> | 2020-04-24 18:20:50 +0200 |
|---|---|---|
| committer | Hannes Reinecke <hare@suse.de> | 2021-06-10 09:01:56 +0200 |
| commit | 147e14e30cde27157d6794c149aa0eb10f578ff1 (patch) | |
| tree | 307749d448dda812bb97fe1f24ec5c17d010fd34 | |
| parent | d046fa22260c72e6c547f58713b4aa5e9cf5ee8b (diff) | |
| download | scsi-devel-147e14e30cde27157d6794c149aa0eb10f578ff1.tar.gz | |
kernfs: propagate devices from initial namespace
For sysfs the initial namespace is special. All devices currently
propagate into all non-initial namespaces. For example, sysfs is usually
mounted in a privileged or unprivileged container and all devices are
visible to the container but are owned by global root. Even though none
of the propagated files can be used there are still a lot of read-only
values that are accessed or read by tools running in non-initial
namespaces. Some devices though, which can be moved or created in
another namespace, will only show up in the corresponding namespace.
Since all current workloads depend on devices from the inital namespace
being visible this behavior cannot be simply changed. This patch
implements a initial_ns_propagates() callback to allow device classes to show
devices in their correct namespace.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Tejun Heo <tj@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/kernfs/dir.c | 34 | ||||
| -rw-r--r-- | fs/kernfs/kernfs-internal.h | 24 | ||||
| -rw-r--r-- | fs/sysfs/mount.c | 4 | ||||
| -rw-r--r-- | include/linux/kernfs.h | 22 | ||||
| -rw-r--r-- | include/linux/kobject_ns.h | 4 | ||||
| -rw-r--r-- | lib/kobject.c | 2 |
6 files changed, 85 insertions, 5 deletions
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index b4fbe870fc968..f2e5e8320c9ff 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -575,10 +575,15 @@ static int kernfs_dop_revalidate(struct dentry *dentry, unsigned int flags) goto out_bad; /* The kernfs node has been moved to a different namespace */ - if (kn->parent && kernfs_ns_enabled(kn->parent) && - kernfs_info(dentry->d_sb)->ns[kn->ns_type] != kn->ns) - goto out_bad; + if (kn->parent && kernfs_ns_enabled(kn->parent)) { + if (kernfs_init_ns_propagates(kn->parent) && + kn->ns == kernfs_init_ns(kn->parent->ns_type)) + goto out_good; + if (kernfs_info(dentry->d_sb)->ns[kn->parent->ns_type] != kn->ns) + goto out_bad; + } +out_good: mutex_unlock(&kernfs_mutex); return 1; out_bad: @@ -1089,6 +1094,10 @@ static struct dentry *kernfs_iop_lookup(struct inode *dir, ns = kernfs_info(dir->i_sb)->ns[parent->ns_type]; kn = kernfs_find_ns(parent, dentry->d_name.name, ns); + if (!kn && kernfs_init_ns_propagates(parent)) { + ns = kernfs_init_ns(parent->ns_type); + kn = kernfs_find_ns(parent, dentry->d_name.name, ns); + } /* no such entry */ if (!kn || !kernfs_active(kn)) { @@ -1615,6 +1624,8 @@ static int kernfs_dir_fop_release(struct inode *inode, struct file *filp) static struct kernfs_node *kernfs_dir_pos(const void *ns, struct kernfs_node *parent, loff_t hash, struct kernfs_node *pos) { + const void *init_ns; + if (pos) { int valid = kernfs_active(pos) && pos->parent == parent && hash == pos->hash; @@ -1622,6 +1633,12 @@ static struct kernfs_node *kernfs_dir_pos(const void *ns, if (!valid) pos = NULL; } + + if (kernfs_init_ns_propagates(parent)) + init_ns = kernfs_init_ns(parent->ns_type); + else + init_ns = NULL; + if (!pos && (hash > 1) && (hash < INT_MAX)) { struct rb_node *node = parent->dir.children.rb_node; while (node) { @@ -1636,7 +1653,7 @@ static struct kernfs_node *kernfs_dir_pos(const void *ns, } } /* Skip over entries which are dying/dead or in the wrong namespace */ - while (pos && (!kernfs_active(pos) || pos->ns != ns)) { + while (pos && (!kernfs_active(pos) || (pos->ns != ns && pos->ns != init_ns))) { struct rb_node *node = rb_next(&pos->rb); if (!node) pos = NULL; @@ -1651,13 +1668,20 @@ static struct kernfs_node *kernfs_dir_next_pos(const void *ns, { pos = kernfs_dir_pos(ns, parent, ino, pos); if (pos) { + const void *init_ns; + if (kernfs_init_ns_propagates(parent)) + init_ns = kernfs_init_ns(parent->ns_type); + else + init_ns = NULL; + do { struct rb_node *node = rb_next(&pos->rb); if (!node) pos = NULL; else pos = rb_to_kn(node); - } while (pos && (!kernfs_active(pos) || pos->ns != ns)); + } while (pos && (!kernfs_active(pos) || + (pos->ns != ns && pos->ns != init_ns))); } return pos; } diff --git a/fs/kernfs/kernfs-internal.h b/fs/kernfs/kernfs-internal.h index 3b9bcd29a8cbd..ae12ca76b51d5 100644 --- a/fs/kernfs/kernfs-internal.h +++ b/fs/kernfs/kernfs-internal.h @@ -80,6 +80,30 @@ static inline struct kernfs_node *kernfs_dentry_node(struct dentry *dentry) return d_inode(dentry)->i_private; } +#ifdef CONFIG_NET +extern struct net init_net; +#endif + +extern struct user_namespace init_user_ns; + +static inline const void *kernfs_init_ns(enum kobj_ns_type ns_type) +{ + switch (ns_type) { + case KOBJ_NS_TYPE_NET: +#ifdef CONFIG_NET + return &init_net; +#else + break; +#endif + case KOBJ_NS_TYPE_USER: + return &init_user_ns; + default: + pr_debug("Unsupported namespace type %d for kernfs\n", ns_type); + } + + return NULL; +} + extern const struct super_operations kernfs_sops; extern struct kmem_cache *kernfs_node_cache, *kernfs_iattrs_cache; diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index 69da4338e914a..b2f79fb033ed8 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -43,6 +43,8 @@ static void sysfs_fs_context_free(struct fs_context *fc) if (kfc->ns_tag[KOBJ_NS_TYPE_NET]) kobj_ns_drop(KOBJ_NS_TYPE_NET, kfc->ns_tag[KOBJ_NS_TYPE_NET]); + if (kfc->ns_tag[KOBJ_NS_TYPE_USER]) + kobj_ns_drop(KOBJ_NS_TYPE_USER, kfc->ns_tag[KOBJ_NS_TYPE_USER]); kernfs_free_fs_context(fc); kfree(kfc); } @@ -67,6 +69,7 @@ static int sysfs_init_fs_context(struct fs_context *fc) return -ENOMEM; kfc->ns_tag[KOBJ_NS_TYPE_NET] = netns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); + kfc->ns_tag[KOBJ_NS_TYPE_USER] = kobj_ns_grab_current(KOBJ_NS_TYPE_USER); kfc->root = sysfs_root; kfc->magic = SYSFS_MAGIC; fc->fs_private = kfc; @@ -84,6 +87,7 @@ static void sysfs_kill_sb(struct super_block *sb) void **ns = (void **)kernfs_super_ns(sb); kobj_ns_drop(KOBJ_NS_TYPE_NET, ns[KOBJ_NS_TYPE_NET]); + kobj_ns_drop(KOBJ_NS_TYPE_USER, ns[KOBJ_NS_TYPE_USER]); kernfs_kill_sb(sb); } diff --git a/include/linux/kernfs.h b/include/linux/kernfs.h index 69e1b173b2c7b..91fd66b4016bb 100644 --- a/include/linux/kernfs.h +++ b/include/linux/kernfs.h @@ -53,6 +53,7 @@ enum kernfs_node_flag { KERNFS_SUICIDED = 0x0800, KERNFS_EMPTY_DIR = 0x1000, KERNFS_HAS_RELEASE = 0x2000, + KERNFS_NS_PROPAGATE = 0x4000, }; /* @flags for kernfs_create_root() */ @@ -337,6 +338,27 @@ static inline void kernfs_enable_ns(struct kernfs_node *kn, kn->ns_type = ns_type; } +static inline void kernfs_enable_init_ns_propagates(struct kernfs_node *kn) +{ + WARN_ON_ONCE(kernfs_type(kn) != KERNFS_DIR); + WARN_ON_ONCE(!RB_EMPTY_ROOT(&kn->dir.children)); + WARN_ON_ONCE(!(kn->flags & KERNFS_NS)); + kn->flags |= KERNFS_NS_PROPAGATE; +} + +/** + * kernfs_init_ns_propagates - test whether init ns propagates + * @kn: the node to test + * + * Test whether kernfs entries created in the init namespace propagate into + * other namespaces. + */ +static inline bool kernfs_init_ns_propagates(const struct kernfs_node *kn) +{ + return ((kn->flags & (KERNFS_NS | KERNFS_NS_PROPAGATE)) == + (KERNFS_NS | KERNFS_NS_PROPAGATE)); +} + /** * kernfs_ns_enabled - test whether namespace is enabled * @kn: the node to test diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h index 88cdc8a71cd71..5202628198d59 100644 --- a/include/linux/kobject_ns.h +++ b/include/linux/kobject_ns.h @@ -26,6 +26,7 @@ struct kobject; enum kobj_ns_type { KOBJ_NS_TYPE_NONE = 0, KOBJ_NS_TYPE_NET, + KOBJ_NS_TYPE_USER, KOBJ_NS_TYPES }; @@ -34,6 +35,8 @@ enum kobj_ns_type { * @grab_current_ns: return a new reference to calling task's namespace * @initial_ns: return the initial namespace (i.e. init_net_ns) * @drop_ns: drops a reference to namespace + * @initial_ns_propagates: whether devices in the initial namespace propagate + * to all other namespaces */ struct kobj_ns_type_operations { enum kobj_ns_type type; @@ -41,6 +44,7 @@ struct kobj_ns_type_operations { void *(*grab_current_ns)(void); const void *(*initial_ns)(void); void (*drop_ns)(void *); + bool (*initial_ns_propagates)(void); }; int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); diff --git a/lib/kobject.c b/lib/kobject.c index 2f37172382e31..525884e1bf638 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -121,6 +121,8 @@ static int create_dir(struct kobject *kobj) BUG_ON(!kobj_ns_type_registered(ops->type)); sysfs_enable_ns(kobj->sd, ops->type); + if (ops->initial_ns_propagates && ops->initial_ns_propagates()) + kernfs_enable_init_ns_propagates(kobj->sd); } return 0; |