2025-09-17 10:28:02 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2025-11-03 16:34:18 +00:00
|
|
|
/* Copyright (c) 2025 Christian Brauner <brauner@kernel.org> */
|
2025-09-17 10:28:02 +00:00
|
|
|
|
|
|
|
|
#include <linux/ns_common.h>
|
2025-09-17 10:28:07 +00:00
|
|
|
#include <linux/proc_ns.h>
|
ns: add active reference count
The namespace tree is, among other things, currently used to support
file handles for namespaces. When a namespace is created it is placed on
the namespace trees and when it is destroyed it is removed from the
namespace trees.
While a namespace is on the namespace trees with a valid reference count
it is possible to reopen it through a namespace file handle. This is all
fine but has some issues that should be addressed.
On current kernels a namespace is visible to userspace in the
following cases:
(1) The namespace is in use by a task.
(2) The namespace is persisted through a VFS object (namespace file
descriptor or bind-mount).
Note that (2) only cares about direct persistence of the namespace
itself not indirectly via e.g., file->f_cred file references or
similar.
(3) The namespace is a hierarchical namespace type and is the parent of
a single or multiple child namespaces.
Case (3) is interesting because it is possible that a parent namespace
might not fulfill any of (1) or (2), i.e., is invisible to userspace but
it may still be resurrected through the NS_GET_PARENT ioctl().
Currently namespace file handles allow much broader access to namespaces
than what is currently possible via (1)-(3). The reason is that
namespaces may remain pinned for completely internal reasons yet are
inaccessible to userspace.
For example, a user namespace my remain pinned by get_cred() calls to
stash the opener's credentials into file->f_cred. As it stands file
handles allow to resurrect such a users namespace even though this
should not be possible via (1)-(3). This is a fundamental uapi change
that we shouldn't do if we don't have to.
Consider the following insane case: Various architectures support the
CONFIG_MMU_LAZY_TLB_REFCOUNT option which uses lazy TLB destruction.
When this option is set a userspace task's struct mm_struct may be used
for kernel threads such as the idle task and will only be destroyed once
the cpu's runqueue switches back to another task. But because of ptrace()
permission checks struct mm_struct stashes the user namespace of the
task that struct mm_struct originally belonged to. The kernel thread
will take a reference on the struct mm_struct and thus pin it.
So on an idle system user namespaces can be persisted for arbitrary
amounts of time which also means that they can be resurrected using
namespace file handles. That makes no sense whatsoever. The problem is
of course excarabted on large systems with a huge number of cpus.
To handle this nicely we introduce an active reference count which
tracks (1)-(3). This is easy to do as all of these things are already
managed centrally. Only (1)-(3) will count towards the active reference
count and only namespaces which are active may be opened via namespace
file handles.
The problem is that namespaces may be resurrected. Which means that they
can become temporarily inactive and will be reactived some time later.
Currently the only example of this is the SIOGCSKNS socket ioctl. The
SIOCGSKNS ioctl allows to open a network namespace file descriptor based
on a socket file descriptor.
If a socket is tied to a network namespace that subsequently becomes
inactive but that socket is persisted by another process in another
network namespace (e.g., via SCM_RIGHTS of pidfd_getfd()) then the
SIOCGSKNS ioctl will resurrect this network namespace.
So calls to open_related_ns() and open_namespace() will end up
resurrecting the corresponding namespace tree.
Note that the active reference count does not regulate the lifetime of
the namespace itself. This is still done by the normal reference count.
The active reference count can only be elevated if the regular reference
count is elevated.
The active reference count also doesn't regulate the presence of a
namespace on the namespace trees. It only regulates its visiblity to
namespace file handles (and in later patches to listns()).
A namespace remains on the namespace trees from creation until its
actual destruction. This will allow the kernel to always reach any
namespace trivially and it will also enable subsystems like bpf to walk
the namespace lists on the system for tracing or general introspection
purposes.
Note that different namespaces have different visibility lifetimes on
current kernels. While most namespace are immediately released when the
last task using them exits, the user- and pid namespace are persisted
and thus both remain accessible via /proc/<pid>/ns/<ns_type>.
The user namespace lifetime is aliged with struct cred and is only
released through exit_creds(). However, it becomes inaccessible to
userspace once the last task using it is reaped, i.e., when
release_task() is called and all proc entries are flushed. Similarly,
the pid namespace is also visible until the last task using it has been
reaped and the associated pid numbers are freed.
The active reference counts of the user- and pid namespace are
decremented once the task is reaped.
Link: https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-11-2e6f823ebdc0@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-10-29 12:20:24 +00:00
|
|
|
#include <linux/user_namespace.h>
|
2025-09-22 12:42:37 +00:00
|
|
|
#include <linux/vfsdebug.h>
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_DEBUG_VFS
|
|
|
|
|
static void ns_debug(struct ns_common *ns, const struct proc_ns_operations *ops)
|
|
|
|
|
{
|
2025-09-24 11:33:59 +00:00
|
|
|
switch (ns->ns_type) {
|
2025-09-22 12:42:37 +00:00
|
|
|
#ifdef CONFIG_CGROUPS
|
|
|
|
|
case CLONE_NEWCGROUP:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &cgroupns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_IPC_NS
|
|
|
|
|
case CLONE_NEWIPC:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &ipcns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
case CLONE_NEWNS:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &mntns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#ifdef CONFIG_NET_NS
|
|
|
|
|
case CLONE_NEWNET:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &netns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_PID_NS
|
|
|
|
|
case CLONE_NEWPID:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &pidns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_TIME_NS
|
|
|
|
|
case CLONE_NEWTIME:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &timens_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_USER_NS
|
|
|
|
|
case CLONE_NEWUSER:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &userns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_UTS_NS
|
|
|
|
|
case CLONE_NEWUTS:
|
|
|
|
|
VFS_WARN_ON_ONCE(ops != &utsns_operations);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2025-09-17 10:28:02 +00:00
|
|
|
|
2025-09-24 11:33:59 +00:00
|
|
|
int __ns_common_init(struct ns_common *ns, u32 ns_type, const struct proc_ns_operations *ops, int inum)
|
2025-09-17 10:28:02 +00:00
|
|
|
{
|
ns: add active reference count
The namespace tree is, among other things, currently used to support
file handles for namespaces. When a namespace is created it is placed on
the namespace trees and when it is destroyed it is removed from the
namespace trees.
While a namespace is on the namespace trees with a valid reference count
it is possible to reopen it through a namespace file handle. This is all
fine but has some issues that should be addressed.
On current kernels a namespace is visible to userspace in the
following cases:
(1) The namespace is in use by a task.
(2) The namespace is persisted through a VFS object (namespace file
descriptor or bind-mount).
Note that (2) only cares about direct persistence of the namespace
itself not indirectly via e.g., file->f_cred file references or
similar.
(3) The namespace is a hierarchical namespace type and is the parent of
a single or multiple child namespaces.
Case (3) is interesting because it is possible that a parent namespace
might not fulfill any of (1) or (2), i.e., is invisible to userspace but
it may still be resurrected through the NS_GET_PARENT ioctl().
Currently namespace file handles allow much broader access to namespaces
than what is currently possible via (1)-(3). The reason is that
namespaces may remain pinned for completely internal reasons yet are
inaccessible to userspace.
For example, a user namespace my remain pinned by get_cred() calls to
stash the opener's credentials into file->f_cred. As it stands file
handles allow to resurrect such a users namespace even though this
should not be possible via (1)-(3). This is a fundamental uapi change
that we shouldn't do if we don't have to.
Consider the following insane case: Various architectures support the
CONFIG_MMU_LAZY_TLB_REFCOUNT option which uses lazy TLB destruction.
When this option is set a userspace task's struct mm_struct may be used
for kernel threads such as the idle task and will only be destroyed once
the cpu's runqueue switches back to another task. But because of ptrace()
permission checks struct mm_struct stashes the user namespace of the
task that struct mm_struct originally belonged to. The kernel thread
will take a reference on the struct mm_struct and thus pin it.
So on an idle system user namespaces can be persisted for arbitrary
amounts of time which also means that they can be resurrected using
namespace file handles. That makes no sense whatsoever. The problem is
of course excarabted on large systems with a huge number of cpus.
To handle this nicely we introduce an active reference count which
tracks (1)-(3). This is easy to do as all of these things are already
managed centrally. Only (1)-(3) will count towards the active reference
count and only namespaces which are active may be opened via namespace
file handles.
The problem is that namespaces may be resurrected. Which means that they
can become temporarily inactive and will be reactived some time later.
Currently the only example of this is the SIOGCSKNS socket ioctl. The
SIOCGSKNS ioctl allows to open a network namespace file descriptor based
on a socket file descriptor.
If a socket is tied to a network namespace that subsequently becomes
inactive but that socket is persisted by another process in another
network namespace (e.g., via SCM_RIGHTS of pidfd_getfd()) then the
SIOCGSKNS ioctl will resurrect this network namespace.
So calls to open_related_ns() and open_namespace() will end up
resurrecting the corresponding namespace tree.
Note that the active reference count does not regulate the lifetime of
the namespace itself. This is still done by the normal reference count.
The active reference count can only be elevated if the regular reference
count is elevated.
The active reference count also doesn't regulate the presence of a
namespace on the namespace trees. It only regulates its visiblity to
namespace file handles (and in later patches to listns()).
A namespace remains on the namespace trees from creation until its
actual destruction. This will allow the kernel to always reach any
namespace trivially and it will also enable subsystems like bpf to walk
the namespace lists on the system for tracing or general introspection
purposes.
Note that different namespaces have different visibility lifetimes on
current kernels. While most namespace are immediately released when the
last task using them exits, the user- and pid namespace are persisted
and thus both remain accessible via /proc/<pid>/ns/<ns_type>.
The user namespace lifetime is aliged with struct cred and is only
released through exit_creds(). However, it becomes inaccessible to
userspace once the last task using it is reaped, i.e., when
release_task() is called and all proc entries are flushed. Similarly,
the pid namespace is also visible until the last task using it has been
reaped and the associated pid numbers are freed.
The active reference counts of the user- and pid namespace are
decremented once the task is reaped.
Link: https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-11-2e6f823ebdc0@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-10-29 12:20:24 +00:00
|
|
|
int ret;
|
|
|
|
|
|
2025-09-18 10:11:59 +00:00
|
|
|
refcount_set(&ns->__ns_ref, 1);
|
2025-09-17 10:28:02 +00:00
|
|
|
ns->stashed = NULL;
|
|
|
|
|
ns->ops = ops;
|
|
|
|
|
ns->ns_id = 0;
|
2025-09-24 11:33:59 +00:00
|
|
|
ns->ns_type = ns_type;
|
2025-09-17 10:28:02 +00:00
|
|
|
RB_CLEAR_NODE(&ns->ns_tree_node);
|
2025-10-29 12:20:26 +00:00
|
|
|
RB_CLEAR_NODE(&ns->ns_unified_tree_node);
|
2025-10-29 12:20:29 +00:00
|
|
|
RB_CLEAR_NODE(&ns->ns_owner_tree_node);
|
2025-09-17 10:28:02 +00:00
|
|
|
INIT_LIST_HEAD(&ns->ns_list_node);
|
2025-10-29 12:20:31 +00:00
|
|
|
INIT_LIST_HEAD(&ns->ns_unified_list_node);
|
2025-10-29 12:20:29 +00:00
|
|
|
ns->ns_owner_tree = RB_ROOT;
|
|
|
|
|
INIT_LIST_HEAD(&ns->ns_owner);
|
|
|
|
|
INIT_LIST_HEAD(&ns->ns_owner_entry);
|
2025-09-17 10:28:07 +00:00
|
|
|
|
2025-09-22 12:42:37 +00:00
|
|
|
#ifdef CONFIG_DEBUG_VFS
|
|
|
|
|
ns_debug(ns, ops);
|
|
|
|
|
#endif
|
|
|
|
|
|
2025-09-17 10:28:07 +00:00
|
|
|
if (inum) {
|
|
|
|
|
ns->inum = inum;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
ns: add active reference count
The namespace tree is, among other things, currently used to support
file handles for namespaces. When a namespace is created it is placed on
the namespace trees and when it is destroyed it is removed from the
namespace trees.
While a namespace is on the namespace trees with a valid reference count
it is possible to reopen it through a namespace file handle. This is all
fine but has some issues that should be addressed.
On current kernels a namespace is visible to userspace in the
following cases:
(1) The namespace is in use by a task.
(2) The namespace is persisted through a VFS object (namespace file
descriptor or bind-mount).
Note that (2) only cares about direct persistence of the namespace
itself not indirectly via e.g., file->f_cred file references or
similar.
(3) The namespace is a hierarchical namespace type and is the parent of
a single or multiple child namespaces.
Case (3) is interesting because it is possible that a parent namespace
might not fulfill any of (1) or (2), i.e., is invisible to userspace but
it may still be resurrected through the NS_GET_PARENT ioctl().
Currently namespace file handles allow much broader access to namespaces
than what is currently possible via (1)-(3). The reason is that
namespaces may remain pinned for completely internal reasons yet are
inaccessible to userspace.
For example, a user namespace my remain pinned by get_cred() calls to
stash the opener's credentials into file->f_cred. As it stands file
handles allow to resurrect such a users namespace even though this
should not be possible via (1)-(3). This is a fundamental uapi change
that we shouldn't do if we don't have to.
Consider the following insane case: Various architectures support the
CONFIG_MMU_LAZY_TLB_REFCOUNT option which uses lazy TLB destruction.
When this option is set a userspace task's struct mm_struct may be used
for kernel threads such as the idle task and will only be destroyed once
the cpu's runqueue switches back to another task. But because of ptrace()
permission checks struct mm_struct stashes the user namespace of the
task that struct mm_struct originally belonged to. The kernel thread
will take a reference on the struct mm_struct and thus pin it.
So on an idle system user namespaces can be persisted for arbitrary
amounts of time which also means that they can be resurrected using
namespace file handles. That makes no sense whatsoever. The problem is
of course excarabted on large systems with a huge number of cpus.
To handle this nicely we introduce an active reference count which
tracks (1)-(3). This is easy to do as all of these things are already
managed centrally. Only (1)-(3) will count towards the active reference
count and only namespaces which are active may be opened via namespace
file handles.
The problem is that namespaces may be resurrected. Which means that they
can become temporarily inactive and will be reactived some time later.
Currently the only example of this is the SIOGCSKNS socket ioctl. The
SIOCGSKNS ioctl allows to open a network namespace file descriptor based
on a socket file descriptor.
If a socket is tied to a network namespace that subsequently becomes
inactive but that socket is persisted by another process in another
network namespace (e.g., via SCM_RIGHTS of pidfd_getfd()) then the
SIOCGSKNS ioctl will resurrect this network namespace.
So calls to open_related_ns() and open_namespace() will end up
resurrecting the corresponding namespace tree.
Note that the active reference count does not regulate the lifetime of
the namespace itself. This is still done by the normal reference count.
The active reference count can only be elevated if the regular reference
count is elevated.
The active reference count also doesn't regulate the presence of a
namespace on the namespace trees. It only regulates its visiblity to
namespace file handles (and in later patches to listns()).
A namespace remains on the namespace trees from creation until its
actual destruction. This will allow the kernel to always reach any
namespace trivially and it will also enable subsystems like bpf to walk
the namespace lists on the system for tracing or general introspection
purposes.
Note that different namespaces have different visibility lifetimes on
current kernels. While most namespace are immediately released when the
last task using them exits, the user- and pid namespace are persisted
and thus both remain accessible via /proc/<pid>/ns/<ns_type>.
The user namespace lifetime is aliged with struct cred and is only
released through exit_creds(). However, it becomes inaccessible to
userspace once the last task using it is reaped, i.e., when
release_task() is called and all proc entries are flushed. Similarly,
the pid namespace is also visible until the last task using it has been
reaped and the associated pid numbers are freed.
The active reference counts of the user- and pid namespace are
decremented once the task is reaped.
Link: https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-11-2e6f823ebdc0@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-10-29 12:20:24 +00:00
|
|
|
ret = proc_alloc_inum(&ns->inum);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
/*
|
|
|
|
|
* Tree ref starts at 0. It's incremented when namespace enters
|
|
|
|
|
* active use (installed in nsproxy) and decremented when all
|
|
|
|
|
* active uses are gone. Initial namespaces are always active.
|
|
|
|
|
*/
|
|
|
|
|
if (is_initial_namespace(ns))
|
|
|
|
|
atomic_set(&ns->__ns_ref_active, 1);
|
|
|
|
|
else
|
|
|
|
|
atomic_set(&ns->__ns_ref_active, 0);
|
|
|
|
|
return 0;
|
2025-09-17 10:28:02 +00:00
|
|
|
}
|
2025-09-17 10:28:08 +00:00
|
|
|
|
|
|
|
|
void __ns_common_free(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
proc_free_inum(ns->inum);
|
|
|
|
|
}
|
ns: add active reference count
The namespace tree is, among other things, currently used to support
file handles for namespaces. When a namespace is created it is placed on
the namespace trees and when it is destroyed it is removed from the
namespace trees.
While a namespace is on the namespace trees with a valid reference count
it is possible to reopen it through a namespace file handle. This is all
fine but has some issues that should be addressed.
On current kernels a namespace is visible to userspace in the
following cases:
(1) The namespace is in use by a task.
(2) The namespace is persisted through a VFS object (namespace file
descriptor or bind-mount).
Note that (2) only cares about direct persistence of the namespace
itself not indirectly via e.g., file->f_cred file references or
similar.
(3) The namespace is a hierarchical namespace type and is the parent of
a single or multiple child namespaces.
Case (3) is interesting because it is possible that a parent namespace
might not fulfill any of (1) or (2), i.e., is invisible to userspace but
it may still be resurrected through the NS_GET_PARENT ioctl().
Currently namespace file handles allow much broader access to namespaces
than what is currently possible via (1)-(3). The reason is that
namespaces may remain pinned for completely internal reasons yet are
inaccessible to userspace.
For example, a user namespace my remain pinned by get_cred() calls to
stash the opener's credentials into file->f_cred. As it stands file
handles allow to resurrect such a users namespace even though this
should not be possible via (1)-(3). This is a fundamental uapi change
that we shouldn't do if we don't have to.
Consider the following insane case: Various architectures support the
CONFIG_MMU_LAZY_TLB_REFCOUNT option which uses lazy TLB destruction.
When this option is set a userspace task's struct mm_struct may be used
for kernel threads such as the idle task and will only be destroyed once
the cpu's runqueue switches back to another task. But because of ptrace()
permission checks struct mm_struct stashes the user namespace of the
task that struct mm_struct originally belonged to. The kernel thread
will take a reference on the struct mm_struct and thus pin it.
So on an idle system user namespaces can be persisted for arbitrary
amounts of time which also means that they can be resurrected using
namespace file handles. That makes no sense whatsoever. The problem is
of course excarabted on large systems with a huge number of cpus.
To handle this nicely we introduce an active reference count which
tracks (1)-(3). This is easy to do as all of these things are already
managed centrally. Only (1)-(3) will count towards the active reference
count and only namespaces which are active may be opened via namespace
file handles.
The problem is that namespaces may be resurrected. Which means that they
can become temporarily inactive and will be reactived some time later.
Currently the only example of this is the SIOGCSKNS socket ioctl. The
SIOCGSKNS ioctl allows to open a network namespace file descriptor based
on a socket file descriptor.
If a socket is tied to a network namespace that subsequently becomes
inactive but that socket is persisted by another process in another
network namespace (e.g., via SCM_RIGHTS of pidfd_getfd()) then the
SIOCGSKNS ioctl will resurrect this network namespace.
So calls to open_related_ns() and open_namespace() will end up
resurrecting the corresponding namespace tree.
Note that the active reference count does not regulate the lifetime of
the namespace itself. This is still done by the normal reference count.
The active reference count can only be elevated if the regular reference
count is elevated.
The active reference count also doesn't regulate the presence of a
namespace on the namespace trees. It only regulates its visiblity to
namespace file handles (and in later patches to listns()).
A namespace remains on the namespace trees from creation until its
actual destruction. This will allow the kernel to always reach any
namespace trivially and it will also enable subsystems like bpf to walk
the namespace lists on the system for tracing or general introspection
purposes.
Note that different namespaces have different visibility lifetimes on
current kernels. While most namespace are immediately released when the
last task using them exits, the user- and pid namespace are persisted
and thus both remain accessible via /proc/<pid>/ns/<ns_type>.
The user namespace lifetime is aliged with struct cred and is only
released through exit_creds(). However, it becomes inaccessible to
userspace once the last task using it is reaped, i.e., when
release_task() is called and all proc entries are flushed. Similarly,
the pid namespace is also visible until the last task using it has been
reaped and the associated pid numbers are freed.
The active reference counts of the user- and pid namespace are
decremented once the task is reaped.
Link: https://patch.msgid.link/20251029-work-namespace-nstree-listns-v4-11-2e6f823ebdc0@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-10-29 12:20:24 +00:00
|
|
|
|
|
|
|
|
static struct ns_common *ns_owner(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
struct user_namespace *owner;
|
|
|
|
|
|
|
|
|
|
if (unlikely(!ns->ops))
|
|
|
|
|
return NULL;
|
|
|
|
|
VFS_WARN_ON_ONCE(!ns->ops->owner);
|
|
|
|
|
owner = ns->ops->owner(ns);
|
|
|
|
|
VFS_WARN_ON_ONCE(!owner && ns != to_ns_common(&init_user_ns));
|
|
|
|
|
if (!owner)
|
|
|
|
|
return NULL;
|
|
|
|
|
/* Skip init_user_ns as it's always active */
|
|
|
|
|
if (owner == &init_user_ns)
|
|
|
|
|
return NULL;
|
|
|
|
|
return to_ns_common(owner);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void __ns_ref_active_get_owner(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
ns = ns_owner(ns);
|
|
|
|
|
if (ns)
|
|
|
|
|
WARN_ON_ONCE(atomic_add_negative(1, &ns->__ns_ref_active));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The active reference count works by having each namespace that gets
|
|
|
|
|
* created take a single active reference on its owning user namespace.
|
|
|
|
|
* That single reference is only released once the child namespace's
|
|
|
|
|
* active count itself goes down.
|
|
|
|
|
*
|
|
|
|
|
* A regular namespace tree might look as follow:
|
|
|
|
|
* Legend:
|
|
|
|
|
* + : adding active reference
|
|
|
|
|
* - : dropping active reference
|
|
|
|
|
* x : always active (initial namespace)
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* + +
|
|
|
|
|
* user_ns1 (2)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* + + +
|
|
|
|
|
* user_ns2 (3)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* If both net_ns and pid_ns put their last active reference on
|
|
|
|
|
* themselves it will cascade to user_ns1 dropping its own active
|
|
|
|
|
* reference and dropping one active reference on user_ns2:
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* - -
|
|
|
|
|
* user_ns1 (0)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* + - +
|
|
|
|
|
* user_ns2 (2)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* The iteration stops once we reach a namespace that still has active
|
|
|
|
|
* references.
|
|
|
|
|
*/
|
|
|
|
|
void __ns_ref_active_put_owner(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
for (;;) {
|
|
|
|
|
ns = ns_owner(ns);
|
|
|
|
|
if (!ns)
|
|
|
|
|
return;
|
|
|
|
|
if (!atomic_dec_and_test(&ns->__ns_ref_active))
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The active reference count works by having each namespace that gets
|
|
|
|
|
* created take a single active reference on its owning user namespace.
|
|
|
|
|
* That single reference is only released once the child namespace's
|
|
|
|
|
* active count itself goes down. This makes it possible to efficiently
|
|
|
|
|
* resurrect a namespace tree:
|
|
|
|
|
*
|
|
|
|
|
* A regular namespace tree might look as follow:
|
|
|
|
|
* Legend:
|
|
|
|
|
* + : adding active reference
|
|
|
|
|
* - : dropping active reference
|
|
|
|
|
* x : always active (initial namespace)
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* + +
|
|
|
|
|
* user_ns1 (2)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* + + +
|
|
|
|
|
* user_ns2 (3)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* If both net_ns and pid_ns put their last active reference on
|
|
|
|
|
* themselves it will cascade to user_ns1 dropping its own active
|
|
|
|
|
* reference and dropping one active reference on user_ns2:
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* - -
|
|
|
|
|
* user_ns1 (0)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* + - +
|
|
|
|
|
* user_ns2 (2)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* Assume the whole tree is dead but all namespaces are still active:
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* - -
|
|
|
|
|
* user_ns1 (0)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* - - -
|
|
|
|
|
* user_ns2 (0)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* Now assume the net_ns gets resurrected (.e.g., via the SIOCGSKNS ioctl()):
|
|
|
|
|
*
|
|
|
|
|
* net_ns pid_ns
|
|
|
|
|
* \ /
|
|
|
|
|
* + -
|
|
|
|
|
* user_ns1 (0)
|
|
|
|
|
* |
|
|
|
|
|
* ipc_ns | uts_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* - + -
|
|
|
|
|
* user_ns2 (0)
|
|
|
|
|
* |
|
|
|
|
|
* cgroup_ns | mnt_ns
|
|
|
|
|
* \ | /
|
|
|
|
|
* x x x
|
|
|
|
|
* init_user_ns (1)
|
|
|
|
|
*
|
|
|
|
|
* If net_ns had a zero reference count and we bumped it we also need to
|
|
|
|
|
* take another reference on its owning user namespace. Similarly, if
|
|
|
|
|
* pid_ns had a zero reference count it also needs to take another
|
|
|
|
|
* reference on its owning user namespace. So both net_ns and pid_ns
|
|
|
|
|
* will each have their own reference on the owning user namespace.
|
|
|
|
|
*
|
|
|
|
|
* If the owning user namespace user_ns1 had a zero reference count then
|
|
|
|
|
* it also needs to take another reference on its owning user namespace
|
|
|
|
|
* and so on.
|
|
|
|
|
*/
|
|
|
|
|
void __ns_ref_active_resurrect(struct ns_common *ns)
|
|
|
|
|
{
|
|
|
|
|
/* If we didn't resurrect the namespace we're done. */
|
|
|
|
|
if (atomic_fetch_add(1, &ns->__ns_ref_active))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We did resurrect it. Walk the ownership hierarchy upwards
|
|
|
|
|
* until we found an owning user namespace that is active.
|
|
|
|
|
*/
|
|
|
|
|
for (;;) {
|
|
|
|
|
ns = ns_owner(ns);
|
|
|
|
|
if (!ns)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (atomic_fetch_add(1, &ns->__ns_ref_active))
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|