mbox

[PULL,xenial,SRU] Fix for LP#1588056

Message ID 20160624175755.GA55505@ubuntu-hedt
State New
Headers show

Pull-request

git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1588056

Message

Seth Forshee June 24, 2016, 5:57 p.m. UTC 
BugLink: http://bugs.launchpad.net/bugs/1588056

These commits fix a problem with cgroupfs mounting by reverting some
sauce patches we're carrying and pulling in updates from the patches
recently added to linux-next. As a result the changes go a bit beyond
simply fixing the bug, but being more closely aligning with upstream
should help ease maintenance moving forward.

I'll address a couple of potentially concerning aspects of these changes
up front:

 * This reverts our fix for LP#1566505. The upstream changes which fix
   the problem look a little different but are functionally identical,
   and I've verified that the bug is still fixed.

 * Upstream has disabled mounting of the bpf fs in user namespaces in
   4.7-rc kernels due to the implementation being flawed. As a result
   the upstream commits do not contain updates to bpf needed in xenial,
   so my options were either to make those changes myself or pull in the
   commits to disable it. I opted for the latter since this fs is new in
   4.4, doesn't have any users that I've been able to find, and is
   broken for non-init namespace mounts anyway.

Thanks,
Seth


The following changes since commit 35825c221f91372f49857c8c1ff76cd3b915a78a:

  UBUNTU: SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu10 (2016-06-24 11:10:37 +0100)

are available in the git repository at:

  git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1588056

for you to fetch changes up to 3c50fc39e79c20c696f77001730b24266415c4c4:

  (namespace) ipc/mqueue: The mqueue filesystem should never contain executables (2016-06-24 08:54:49 -0500)

----------------------------------------------------------------
Daniel Borkmann (1):
      (namespace) bpf, inode: disallow userns mounts

Eric W. Biederman (5):
      (namespace) bpf: Use mount_nodev not mount_ns to mount the bpf filesystem
      (namespace) ipc: Initialize ipc_namespace->user_ns early.
      (namespace) vfs: Pass data, ns, and ns->userns to mount_ns
      (namespace) kernfs: The cgroup filesystem also benefits from SB_I_NOEXEC
      (namespace) ipc/mqueue: The mqueue filesystem should never contain executables

Seth Forshee (4):
      Revert "UBUNTU: SAUCE: (namespace) mqueue: Super blocks must be owned by the user ns which owns the ipc ns"
      Revert "UBUNTU: SAUCE: kernfs: Do not match superblock in another user namespace when mounting"
      Revert "UBUNTU: SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace"
      UBUNTU: SAUCE: (namespace) Sync with upstream s_user_ns patches

 fs/kernfs/mount.c           |  8 +++++---
 fs/nfsd/nfsctl.c            | 13 ++++---------
 fs/super.c                  | 30 +++++++++++++++++-------------
 fs/sysfs/mount.c            |  3 ---
 include/linux/cgroup-defs.h |  4 ----
 include/linux/fs.h          |  6 ++----
 ipc/mqueue.c                | 21 ++++++++-------------
 ipc/namespace.c             |  1 +
 kernel/bpf/inode.c          |  3 +--
 kernel/cgroup.c             | 69 +++++++++++++++++++++++++++++++++++++++------------------------------
 net/sunrpc/rpc_pipe.c       |  8 ++++----
 11 files changed, 81 insertions(+), 85 deletions(-)

Comments

Tim Gardner June 27, 2016, 3:48 p.m. UTC | #1 
I presume this pile has been run against LXD regression tests ?
Seth Forshee June 27, 2016, 4:50 p.m. UTC | #2 
On Mon, Jun 27, 2016 at 09:48:23AM -0600, Tim Gardner wrote:
> I presume this pile has been run against LXD regression tests ?

Yes.
Seth Forshee June 27, 2016, 8:03 p.m. UTC | #3 
On Fri, Jun 24, 2016 at 12:57:55PM -0500, Seth Forshee wrote:
>  * This reverts our fix for LP#1566505. The upstream changes which fix
>    the problem look a little different but are functionally identical,
>    and I've verified that the bug is still fixed.

Oops, I got the wrong bug number above, should be LP#1582378.
Brad Figg June 28, 2016, 2:21 p.m. UTC | #4 
On Fri, Jun 24, 2016 at 12:57:55PM -0500, Seth Forshee wrote:
> BugLink: http://bugs.launchpad.net/bugs/1588056
> 
> These commits fix a problem with cgroupfs mounting by reverting some
> sauce patches we're carrying and pulling in updates from the patches
> recently added to linux-next. As a result the changes go a bit beyond
> simply fixing the bug, but being more closely aligning with upstream
> should help ease maintenance moving forward.
> 
> I'll address a couple of potentially concerning aspects of these changes
> up front:
> 
>  * This reverts our fix for LP#1566505. The upstream changes which fix
>    the problem look a little different but are functionally identical,
>    and I've verified that the bug is still fixed.
> 
>  * Upstream has disabled mounting of the bpf fs in user namespaces in
>    4.7-rc kernels due to the implementation being flawed. As a result
>    the upstream commits do not contain updates to bpf needed in xenial,
>    so my options were either to make those changes myself or pull in the
>    commits to disable it. I opted for the latter since this fs is new in
>    4.4, doesn't have any users that I've been able to find, and is
>    broken for non-init namespace mounts anyway.
> 
> Thanks,
> Seth
> 
> 
> The following changes since commit 35825c221f91372f49857c8c1ff76cd3b915a78a:
> 
>   UBUNTU: SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu10 (2016-06-24 11:10:37 +0100)
> 
> are available in the git repository at:
> 
>   git://git.launchpad.net/~sforshee/+git/ubuntu-xenial lp1588056
> 
> for you to fetch changes up to 3c50fc39e79c20c696f77001730b24266415c4c4:
> 
>   (namespace) ipc/mqueue: The mqueue filesystem should never contain executables (2016-06-24 08:54:49 -0500)
> 
> ----------------------------------------------------------------
> Daniel Borkmann (1):
>       (namespace) bpf, inode: disallow userns mounts
> 
> Eric W. Biederman (5):
>       (namespace) bpf: Use mount_nodev not mount_ns to mount the bpf filesystem
>       (namespace) ipc: Initialize ipc_namespace->user_ns early.
>       (namespace) vfs: Pass data, ns, and ns->userns to mount_ns
>       (namespace) kernfs: The cgroup filesystem also benefits from SB_I_NOEXEC
>       (namespace) ipc/mqueue: The mqueue filesystem should never contain executables
> 
> Seth Forshee (4):
>       Revert "UBUNTU: SAUCE: (namespace) mqueue: Super blocks must be owned by the user ns which owns the ipc ns"
>       Revert "UBUNTU: SAUCE: kernfs: Do not match superblock in another user namespace when mounting"
>       Revert "UBUNTU: SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace"
>       UBUNTU: SAUCE: (namespace) Sync with upstream s_user_ns patches
> 
>  fs/kernfs/mount.c           |  8 +++++---
>  fs/nfsd/nfsctl.c            | 13 ++++---------
>  fs/super.c                  | 30 +++++++++++++++++-------------
>  fs/sysfs/mount.c            |  3 ---
>  include/linux/cgroup-defs.h |  4 ----
>  include/linux/fs.h          |  6 ++----
>  ipc/mqueue.c                | 21 ++++++++-------------
>  ipc/namespace.c             |  1 +
>  kernel/bpf/inode.c          |  3 +--
>  kernel/cgroup.c             | 69 +++++++++++++++++++++++++++++++++++++++------------------------------
>  net/sunrpc/rpc_pipe.c       |  8 ++++----
>  11 files changed, 81 insertions(+), 85 deletions(-)
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Positive testing.
Kamal Mostafa June 28, 2016, 3:35 p.m. UTC | #5