On 08/19, Andy Lutomirski wrote: > > On Mon, Aug 19, 2013 at 10:25 AM, Oleg Nesterov <[email protected]> wrote: > > Hello. > > > > Colin reports that vfork() doesn't work after unshare(PIDNS). The > > reason is trivial, copy_process() does: > > > > /* > > * If the new process will be in a different pid namespace > > * don't allow the creation of threads. > > */ > > if ((clone_flags & (CLONE_VM|CLONE_NEWPID)) && > > (task_active_pid_ns(current) != current->nsproxy->pid_ns)) > > return ERR_PTR(-EINVAL); > > > > and CLONE_VM obviously nacks vfork(). So perhaps we can relax > > this check to CLONE_THREAD? Or should we really nack CLONE_VM > > by security reasons? > > > > OTOH. Perhaps we should also deny CLONE_PARENT in this case? > > > > In short. So far I am thinking about the patch below but I got > > lost and totally confused. Will try to think more tomorrow, but > > I would like to see the fix from someone who still understands > > this all. > > > > Oleg. > > By way of (partial) explanation: > > http://marc.info/?l=linux-kernel&m=135545831607095
Thanks... too late for me to even try to read this discussion today. and I am a bit confused, > (tl;dr: I think that CLONE_VM is irrelevant here, but there may be > other issues lurking around.) So do you think this change is fine or not (ignoring the fact it needs cleanups) ? Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
