On Wed, 2018-08-01 at 16:19 +0200, Oleg Nesterov wrote:
> On 07/31, Jürg Billeter wrote:
> >
> > > Could you explain your use-case? Why a shell wants to use
> > > CLONE_NEWPID?
> >
> > To guarantee that there won't be any runaway processes, i.e., ensur
On Fri, 2018-08-03 at 08:34 -0500, Eric W. Biederman wrote:
> From the other direction I think we can just go ahead and fix handling
> of the job control stop signals as well. As far as I understand it
> there is a legitimate complaint that SIGTSTP SIGTTIN SIGTTOU do not work
> on a pid namespace
ely on the default actions as described in signal(7) and
PID isolation may be useful. This new prctl makes the signal protection
for "init" processes optional, without breaking backward compatibility.
Signed-off-by: Jürg Billeter
---
include/uapi/linux/prctl.h | 4
kernel/sys.
copy_process() currently checks the SIGNAL_UNKILLABLE flag to determine
whether to accept CLONE_PARENT. In preparation for allowing init
processes to opt out of SIGNAL_UNKILLABLE, directly check whether the
process is an init process with is_child_reaper().
Signed-off-by: Jürg Billeter
setting the SIGNAL_UNKILLABLE flag, only
clearing.
Signed-off-by: Jürg Billeter
---
include/uapi/linux/prctl.h | 4
kernel/sys.c | 11 +++
2 files changed, 15 insertions(+)
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index c0d7ea0bf5b6
On Mon, 2018-07-30 at 12:17 +0200, Oleg Nesterov wrote:
> On 07/30, Jürg Billeter wrote:
> >
> > This is required for job control in a shell that uses CLONE_NEWPID for
> > child processes.
>
> Could you explain in more details?
The SIGNAL_UNKILLABLE flag, which
ely on the default actions as described in signal(7) and
PID isolation may be useful. This new prctl makes the signal protection
for "init" processes optional, without breaking backward compatibility.
Signed-off-by: Jürg Billeter
---
v2: Hold siglock for PR_SET_KILLABLE, expand commit mes
On Tue, 2018-07-31 at 16:39 +0200, Oleg Nesterov wrote:
> On 07/31, Jürg Billeter wrote:
> > SIGINT, SIGQUIT and SIGTSTP are used in job control for ^C, ^\, ^Z.
> > While a task with the SIGNAL_UNKILLABLE flag could install handlers for
> > these signals, this is not suff
On Tue, 2018-07-31 at 18:26 +0200, Jann Horn wrote:
> On Mon, Jul 30, 2018 at 10:01 AM Jürg Billeter wrote:
>
> [...]
> > diff --git a/kernel/sys.c b/kernel/sys.c
> > index 38509dc1f77b..264de630d548 100644
> > --- a/kernel/sys.c
> > +++ b/kernel/sys.c
>
>
Signed-off-by: Jürg Billeter
---
Changes since version 1:
- Explain offset handling
man2/io_submit.2 | 13 +
man2/readv.2 | 17 +
2 files changed, 30 insertions(+)
diff --git a/man2/io_submit.2 b/man2/io_submit.2
index 397fd0b75..25961138a 100644
--- a/man2
Hi Aleksa,
On Tue, 2018-11-13 at 01:26 +1100, Aleksa Sarai wrote:
> * O_BENEATH: Disallow "escapes" from the starting point of the
> filesystem tree during resolution (you must stay "beneath" the
> starting point at all times). Currently this is done by disallowing
> ".." and absolute paths
orphaned processes.
If a descendant gained privileges, the current process may not be
allowed to kill it, and the descendant process will survive.
PR_SET_NO_NEW_PRIVS can be used to prevent descendant processes from
gaining privileges.
Suggested-by: Oleg Nesterov
Signed-off-by: Jürg Billeter
---
fs
/lkml/20170929123058.48924-...@bitron.ch/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=43300
[3] https://lkml.kernel.org/lkml/20180803144021.56920-...@bitron.ch/
Jürg Billeter (1):
prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT
fs/exec.c| 6 ++
include/linux/sched
Hi Oleg,
Thanks for the review.
On Thu, 2018-11-29 at 13:34 +0100, Oleg Nesterov wrote:
> To me it would be more clean to call
> walk_process_tree(kill_descendant_visitor)
> unconditionally in find_new_reaper() right before "if (has_child_subreaper)",
> but
> then we will need to shift read_loc
orphaned processes.
If a descendant gained privileges, the current process may not be
allowed to kill it, and the descendant process will survive.
PR_SET_NO_NEW_PRIVS can be used to prevent descendant processes from
gaining privileges.
Suggested-by: Oleg Nesterov
Signed-off-by: Jürg Billeter
---
fs
instead of bitfield to avoid race with
PR_SET_CHILD_SUBREAPER
[1] https://lkml.kernel.org/lkml/20170929123058.48924-...@bitron.ch/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=43300
[3] https://lkml.kernel.org/lkml/20180803144021.56920-...@bitron.ch/
Jürg Billeter (1):
prctl: add PR_{GET
On Thu, 2018-12-06 at 13:30 +0100, Florian Weimer wrote:
> * Christian Brauner:
>
> > /* zombies */
> > Zombies can be signaled just as any other process. No special error will be
> > reported since a zombie state is an unreliable state (cf. [3]).
>
> I still disagree with this analysis. If I kn
On Thu, 2018-12-06 at 14:12 +0100, Florian Weimer wrote:
> * Jürg Billeter:
>
> > On Thu, 2018-12-06 at 13:30 +0100, Florian Weimer wrote:
> > > * Christian Brauner:
> > >
> > > > /* zombies */
> > > > Zombies can be signaled just a
On Fri, 2018-11-30 at 08:00 +, Jürg Billeter wrote:
> This patch adds a new prctl to kill all descendant processes on exit.
> See commit message for details of the prctl.
>
> This is a replacement of PR_SET_PDEATHSIG_PROC I proposed last year [1].
> In the following discussion,
On Fri, 2018-11-30 at 14:40 +0100, Florian Weimer wrote:
> * Jürg Billeter:
>
> > This introduces a new thread group flag that can be set by calling
> >
> > prctl(PR_SET_KILL_DESCENDANTS_ON_EXIT, 1, 0, 0, 0)
> >
> > When a thread group exits with th
On Sat, 2018-12-01 at 13:28 +0100, Florian Weimer wrote:
> * Jürg Billeter:
>
> > On Fri, 2018-11-30 at 14:40 +0100, Florian Weimer wrote:
> > > * Jürg Billeter:
> > >
> > > > This introduces a new thread group flag that can be
Hi Vinod,
On Mon, 2014-12-08 at 17:06 +0530, Vinod Koul wrote:
> Can you please rebase this on my next, this fails to apply for me
This is a patch for Laurent's new rcar-dmac driver, which doesn't appear
to be in your next yet. Laurent has already merged my patch into his
dma/next branch and incl
blk_mq_init_queue() returns ERR_PTR() on failure, not NULL.
Signed-off-by: Jürg Billeter
---
drivers/block/null_blk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c
index ae9f615..727309c 100644
--- a/drivers/block
blk_mq_init_queue() returns ERR_PTR() on failure, not NULL.
Signed-off-by: Jürg Billeter
---
drivers/block/virtio_blk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index 7ef7c09..b1b5c75 100644
--- a/drivers
Use of_get_named_gpio instead of of_property_read_u32.
Signed-off-by: Jürg Billeter
---
drivers/misc/ti-st/st_kim.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
index af71584..8df8faa 100644
--- a
GPIO accessor functions may sleep.
Signed-off-by: Jürg Billeter
---
drivers/misc/ti-st/st_kim.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
index 8df8faa..0ab81d7 100644
--- a/drivers/misc/ti-st
This allows return of other error codes.
Signed-off-by: Jürg Billeter
---
drivers/misc/ti-st/st_kim.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
index 5027b8f..af71584 100644
--- a/drivers/misc/ti
On Wed, 2015-06-24 at 11:31 -0400, Peter Hurley wrote:
> On 06/24/2015 06:24 AM, Jürg Billeter wrote:
> > @@ -761,8 +762,14 @@ static struct ti_st_plat_data
> > *get_platform_data(struct device *dev)
> > dt_property = of_get_property(np, "dev_name",
Signed-off-by: Jürg Billeter
---
man2/io_submit.2 | 10 ++
man2/readv.2 | 10 ++
2 files changed, 20 insertions(+)
diff --git a/man2/io_submit.2 b/man2/io_submit.2
index 397fd0b75..79fcdfee4 100644
--- a/man2/io_submit.2
+++ b/man2/io_submit.2
@@ -111,6 +111,16 @@ field of
Skip 'disabled' cpu nodes when building the cpu logical map. This avoids
booting cpus that have been disabled in the device tree.
Signed-off-by: Jürg Billeter
Reviewed-by: Ben Dooks
---
arch/arm/kernel/devtree.c | 4
1 file changed, 4 insertions(+)
diff --git a/arch/arm/kernel
The default index 1 was used as the loop was terminated before the
following code could be reached:
if (mod[i] == this)
index = i;
Signed-off-by: Jürg Billeter
---
sound/soc/sh/rcar/core.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound
Hi,
On Thu, 2014-07-03 at 22:57 +0900, Kuninori Morimoto wrote:
> If you add this code,
>
> if (!ssi) {
>break;
> } else ...
>
> then, I guess we can remove this code ?
>
> if (mod[i] == ssi)
> break;
I checked the issue on mainline master where the
setbits() uses sp->membase.
Signed-off-by: Jürg Billeter
---
drivers/spi/spi-sh-sci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-sh-sci.c b/drivers/spi/spi-sh-sci.c
index 1f56ef6..b83dd73 100644
--- a/drivers/spi/spi-sh-sci.c
+++ b/drivers/spi/spi
While it will be clamped to bool by gpiolib, let's make this sane
in the driver as well.
Signed-off-by: Jürg Billeter
---
drivers/gpio/gpio-rcar.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c
index 0c9f803..7c
<8005fdb0>]
(generic_handle_irq+0x20/0x30)
[<8005fdb0>] (generic_handle_irq) from [<8000fcd0>] (handle_IRQ+0x50/0xc4)
[<8000fcd0>] (handle_IRQ) from [<800092cc>] (gic_handle_irq+0x28/0x5c)
[<800092cc>] (gic_handle_irq) from [<80012700>] (__irq_svc+0x40/0x70)
Kernel p
orphaned processes.
If a descendant gained privileges, the current process may not be
allowed to kill it, and the descendant process will survive.
PR_SET_NO_NEW_PRIVS can be used to prevent descendant processes from
gaining privileges.
Suggested-by: Oleg Nesterov
Signed-off-by: Jürg Billeter
Reviewed
instead of bitfield to avoid race with
PR_SET_CHILD_SUBREAPER
[1] https://lkml.kernel.org/lkml/20170929123058.48924-...@bitron.ch/
[2] https://bugzilla.kernel.org/show_bug.cgi?id=43300
[3] https://lkml.kernel.org/lkml/20180803144021.56920-...@bitron.ch/
Jürg Billeter (1):
prctl: add PR_{GET
On Fri, 2019-03-29 at 16:54 +0100, Christian Brauner wrote:
> diff --git a/include/uapi/linux/wait.h b/include/uapi/linux/wait.h
> index ac49a220cf2a..d6c7c0701997 100644
> --- a/include/uapi/linux/wait.h
> +++ b/include/uapi/linux/wait.h
> @@ -18,5 +18,7 @@
> #define P_PID1
> #de
There is only a single hyphen between iwlwifi-8000C and the API version
in the firmware filename.
Fixes: e1ba684f762b ("iwlwifi: 8000: fix MODULE_FIRMWARE input")
Signed-off-by: Jürg Billeter
---
drivers/net/wireless/intel/iwlwifi/iwl-8000.c | 2 +-
1 file changed, 1 insertion(+),
IWL6000G2B_UCODE_API_MAX is not defined. ucode_api_max of
IWL_DEVICE_6030 uses IWL6000G2_UCODE_API_MAX. Use this also for
MODULE_FIRMWARE.
Fixes: 9d9b21d1b616 ("iwlwifi: remove IWL_*_UCODE_API_OK")
Signed-off-by: Jürg Billeter
---
drivers/net/wireless/intel/iwlwifi/iwl-6000.c | 2
Hi Oleg,
Thanks for the review.
On Tue, 2017-09-12 at 19:05 +0200, Oleg Nesterov wrote:
> On 09/09, Jürg Billeter wrote:
> > Unlike
> > PR_SET_PDEATHSIG, this is inherited across fork to allow killing a whole
> > subtree without race conditions.
>
> but I am still n
On Wed, 2017-09-13 at 19:11 +0200, Oleg Nesterov wrote:
> On 09/12, Jürg Billeter wrote:
> >
> > On Tue, 2017-09-12 at 19:05 +0200, Oleg Nesterov wrote:
> > > On 09/09, Jürg Billeter wrote:
> > > > Unlike
> > > > PR_SET_PDEATHSIG, this i
descriptor.
Signed-off-by: Jürg Billeter
---
include/linux/fs.h | 2 ++
include/uapi/linux/fs.h | 6 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index e723b62c4b81..5f27ef9cce17 100644
--- a/include/linux/fs.h
+++ b/include/linux
bined with a seccomp filter.
There have been previous attempts to support this by changing the
behavior of PR_SET_PDEATHSIG. However, that would break existing
applications. See https://marc.info/?l=linux-kernel&m=117621804801689
and https://bugzilla.kernel.org/show_bug.cgi?id=43300
Signed-off
Hi Al,
Might it make sense to specify these lookup restrictions when opening
the directory (O_ROOT?) instead of specifying it for each lookup with
AT_* (or supporting both)? This might make it more useful when passing
directory fds between processes that do not use seccomp (where
AT_BENEATH could
The iBT 3.5 controllers (Intel 8265, Windstorm Peak) need
intel/ibt-12-16.sfi and intel/ibt-12-16.ddc firmware files from
linux-firmware repository.
Signed-off-by: Jürg Billeter
---
drivers/bluetooth/btintel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btintel.c b
On Mon, 2017-10-02 at 22:25 -0500, Eric W. Biederman wrote:
> The code where it calls group_send_sig_info is buggy for pdeath_signal.
> And it no less buggy for this new case. There is no point to check
> permissions when sending a signal to yourself. Especially this signal
> gets cleared during
On Tue, 2017-10-03 at 09:46 -0500, Eric W. Biederman wrote:
> There is a general need to find out about the death of other processes,
> if you are not the parent of the process. I would be inclined to call
> it waitfd. Something that you give a pid. It performs a permission
> check and the pid
On Tue, 2017-10-03 at 12:40 -0500, Eric W. Biederman wrote:
> Jürg Billeter writes:
> > What's actually the reason that CLONE_NEWPID requires CAP_SYS_ADMIN?
> > Does CLONE_NEWPID pose any risks that don't exist for
> > CLONE_NEWUSER|CLONE_NEWPID? As
.
Signed-off-by: Jürg Billeter
---
include/linux/fs.h | 2 ++
include/uapi/linux/fs.h | 6 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 339e73742e73..fee24eae7523 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
bined with a seccomp filter.
There have been previous attempts to support this by changing the
behavior of PR_SET_PDEATHSIG. However, that would break existing
applications. See https://marc.info/?l=linux-kernel&m=117621804801689
and https://bugzilla.kernel.org/show_bug.cgi?id=43300
Signed-off
On Thu, 2017-10-05 at 18:27 +0200, Oleg Nesterov wrote:
> On 10/03, Jürg Billeter wrote:
> >
> > My use case is to provide a way for a process to spawn a child and
> > ensure that no descendants survive when that child dies. Avoiding
> > runaway processes is desira
52 matches
Mail list logo
