Implement setns for pid namespaces

PiperOrigin-RevId: 776238354

Author: avagin

pkg/sentry/control/lifecycle.go

@@ -237,10 +237,6 @@ func (l *Lifecycle) StartContainer(args *StartContainerArgs, _ *uint32) error {
 		ls.SetUnchecked(lt, limit)
 	}
 
-	// Create a new pid namespace for the container. Each container must run
-	// in its own pid namespace.
-	pidNs := l.Kernel.RootPIDNamespace().NewChild(l.Kernel.RootUserNamespace())
-
 	initArgs := kernel.CreateProcessArgs{
 		Filename: args.Filename,
 		Argv:     args.Argv,
@@ -254,11 +250,14 @@ func (l *Lifecycle) StartContainer(args *StartContainerArgs, _ *uint32) error {
 		UTSNamespace:         l.Kernel.RootUTSNamespace(),
 		IPCNamespace:         l.Kernel.RootIPCNamespace(),
 		ContainerID:          args.ContainerID,
-		PIDNamespace:         pidNs,
 	}
 
 	ctx := initArgs.NewContext(l.Kernel)
 
+	// Create a new pid namespace for the container. Each container must run
+	// in its own pid namespace.
+	initArgs.PIDNamespace = l.Kernel.RootPIDNamespace().NewChild(ctx, l.Kernel, l.Kernel.RootUserNamespace())
+
 	// Import file descriptors.
 	fdTable := l.Kernel.NewFDTable()
 	defer fdTable.DecRef(ctx)

pkg/sentry/fsimpl/proc/task.go

@@ -78,7 +78,7 @@ func (fs *filesystem) newTaskInode(ctx context.Context, task *kernel.Task, pidns
 		"ns": fs.newTaskOwnedDir(ctx, task, fs.NextIno(), 0511, map[string]kernfs.Inode{
 			"net":  fs.newNamespaceSymlink(ctx, task, fs.NextIno(), linux.CLONE_NEWNET),
 			"mnt":  fs.newNamespaceSymlink(ctx, task, fs.NextIno(), linux.CLONE_NEWNS),
-			"pid":  fs.newPIDNamespaceSymlink(ctx, task, fs.NextIno()),
+			"pid":  fs.newNamespaceSymlink(ctx, task, fs.NextIno(), linux.CLONE_NEWPID),
 			"user": fs.newFakeNamespaceSymlink(ctx, task, fs.NextIno(), "user"),
 			"ipc":  fs.newNamespaceSymlink(ctx, task, fs.NextIno(), linux.CLONE_NEWIPC),
 			"uts":  fs.newNamespaceSymlink(ctx, task, fs.NextIno(), linux.CLONE_NEWUTS),

pkg/sentry/fsimpl/proc/task_files.go

@@ -1289,17 +1289,6 @@ func (fs *filesystem) newNamespaceSymlink(ctx context.Context, task *kernel.Task
 	return taskInode
 }
 
-func (fs *filesystem) newPIDNamespaceSymlink(ctx context.Context, task *kernel.Task, ino uint64) kernfs.Inode {
-	target := fmt.Sprintf("pid:[%d]", task.PIDNamespace().ID())
-
-	inode := &namespaceSymlink{task: task}
-	// Note: credentials are overridden by taskOwnedInode.
-	inode.Init(ctx, task.Credentials(), linux.UNNAMED_MAJOR, fs.devMinor, ino, target)
-
-	taskInode := &taskOwnedInode{Inode: inode, owner: task}
-	return taskInode
-}
-
 func (fs *filesystem) newFakeNamespaceSymlink(ctx context.Context, task *kernel.Task, ino uint64, ns string) kernfs.Inode {
 	// Namespace symlinks should contain the namespace name and the inode number
 	// for the namespace instance, so for example user:[123456]. We currently fake
@@ -1339,6 +1328,11 @@ func (s *namespaceSymlink) getInode(t *kernel.Task) *nsfs.Inode {
 		}
 		inode, _ := mntns.Refs.(*nsfs.Inode)
 		return inode
+	case linux.CLONE_NEWPID:
+		if pidns := t.GetPIDNamespace(); pidns != nil {
+			return pidns.GetInode()
+		}
+		return nil
 	default:
 		panic("unknown namespace")
 	}

pkg/sentry/fsimpl/testutil/kernel.go

@@ -106,7 +106,7 @@ func Boot() (*kernel.Kernel, error) {
 		VdsoParams:        params,
 		RootUTSNamespace:  kernel.NewUTSNamespace("hostname", "domain", creds.UserNamespace),
 		RootIPCNamespace:  kernel.NewIPCNamespace(creds.UserNamespace),
-		PIDNamespace:      kernel.NewRootPIDNamespace(creds.UserNamespace),
+		RootPIDNamespace:  kernel.NewRootPIDNamespace(creds.UserNamespace),
 		UnixSocketOpts:    transport.UnixSocketOpts{},
 	}); err != nil {
 		return nil, fmt.Errorf("initializing kernel: %v", err)

pkg/sentry/kernel/kernel.go

@@ -441,8 +441,8 @@ type InitKernelArgs struct {
 	// RootIPCNamespace is the root IPC namespace.
 	RootIPCNamespace *IPCNamespace
 
-	// PIDNamespace is the root PID namespace.
-	PIDNamespace *PIDNamespace
+	// RootPIDNamespace is the root PID namespace.
+	RootPIDNamespace *PIDNamespace
 
 	// MaxFDLimit specifies the maximum file descriptor number that can be
 	// used by processes.  If it is zero, the limit will be set to
@@ -473,7 +473,7 @@ func (k *Kernel) Init(args InitKernelArgs) error {
 
 	k.featureSet = args.FeatureSet
 	k.timekeeper = args.Timekeeper
-	k.tasks = newTaskSet(args.PIDNamespace)
+	k.tasks = newTaskSet(args.RootPIDNamespace)
 	k.rootUserNamespace = args.RootUserNamespace
 	k.rootUTSNamespace = args.RootUTSNamespace
 	k.rootIPCNamespace = args.RootIPCNamespace
@@ -540,6 +540,8 @@ func (k *Kernel) Init(args InitKernelArgs) error {
 	k.rootIPCNamespace.SetInode(nsfs.NewInode(ctx, k.nsfsMount, k.rootIPCNamespace))
 	k.rootUTSNamespace.SetInode(nsfs.NewInode(ctx, k.nsfsMount, k.rootUTSNamespace))
 
+	args.RootPIDNamespace.InitInode(ctx, k)
+
 	tmpfsOpts := vfs.GetFilesystemOptions{
 		InternalData: tmpfs.FilesystemOpts{
 			// See mm/shmem.c:shmem_init() => vfs_kern_mount(flags=SB_KERNMOUNT).
@@ -1911,6 +1913,7 @@ func (k *Kernel) Release() {
 	k.rootUTSNamespace.DecRef(ctx)
 	k.cleaupDevGofers()
 	k.mf.Destroy()
+	k.RootPIDNamespace().DecRef(ctx)
 }
 
 // PopulateNewCgroupHierarchy moves all tasks into a newly created cgroup

pkg/sentry/kernel/task_clone.go

@@ -224,7 +224,8 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	if t.childPIDNamespace != nil {
 		pidns = t.childPIDNamespace
 	} else if args.Flags&linux.CLONE_NEWPID != 0 {
-		pidns = pidns.NewChild(userns)
+		pidns = pidns.NewChild(t, t.k, userns)
+		defer pidns.DecRef(t)
 	}
 
 	tg := t.tg
@@ -277,6 +278,9 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	// the cleanup for us.
 	cu.Release()
 	if err != nil {
+		if args.Flags&linux.CLONE_THREAD == 0 {
+			tg.Release(t)
+		}
 		return 0, nil, err
 	}
 
@@ -547,6 +551,36 @@ func (t *Task) Setns(fd *vfs.FileDescription, flags int32) error {
 		t.mu.Unlock()
 		oldNS.DecRef(t)
 		return nil
+	case *PIDNamespace:
+		if flags != 0 && flags != linux.CLONE_NEWPID {
+			return linuxerr.EINVAL
+		}
+		if !t.HasCapabilityIn(linux.CAP_SYS_ADMIN, ns.UserNamespace()) ||
+			!t.Credentials().HasCapability(linux.CAP_SYS_ADMIN) {
+			return linuxerr.EPERM
+		}
+
+		// Allow setting the current or a child pid namespace.
+		current := t.PIDNamespace()
+		ancestor := ns
+		for ; ancestor != nil; ancestor = ancestor.parent {
+			if ancestor == current {
+				break
+			}
+		}
+		if ancestor == nil {
+			return linuxerr.EINVAL
+		}
+
+		oldNS := t.childPIDNamespace
+		ns.IncRef()
+		t.mu.Lock()
+		t.childPIDNamespace = ns
+		t.mu.Unlock()
+		if oldNS != nil {
+			oldNS.DecRef(t)
+		}
+		return nil
 	default:
 		return linuxerr.EINVAL
 	}
@@ -611,7 +645,7 @@ func (t *Task) Unshare(flags int32) error {
 		if !haveCapSysAdmin {
 			return linuxerr.EPERM
 		}
-		t.childPIDNamespace = t.tg.pidns.NewChild(t.UserNamespace())
+		t.childPIDNamespace = t.tg.pidns.NewChild(t, t.k, t.UserNamespace())
 	}
 	if flags&linux.CLONE_NEWNET != 0 {
 		if !haveCapSysAdmin {

pkg/sentry/kernel/task_exit.go

@@ -304,11 +304,16 @@ func (*runExitMain) execute(t *Task) taskRunState {
 	t.ipcns = nil
 	netns := t.netns
 	t.netns = nil
+	childPIDNS := t.childPIDNamespace
+	t.childPIDNamespace = nil
 	t.mu.Unlock()
 	mntns.DecRef(t)
 	utsns.DecRef(t)
 	ipcns.DecRef(t)
 	netns.DecRef(t)
+	if childPIDNS != nil {
+		childPIDNS.DecRef(t)
+	}
 
 	// If this is the last task to exit from the thread group, release the
 	// thread group's resources.

pkg/sentry/kernel/thread_group.go

@@ -285,6 +285,7 @@ type ThreadGroup struct {
 // The new thread group isn't visible to the system until a task has been
 // created inside of it by a successful call to TaskSet.NewTask.
 func (k *Kernel) NewThreadGroup(pidns *PIDNamespace, sh *SignalHandlers, terminationSignal linux.Signal, limits *limits.LimitSet) *ThreadGroup {
+	pidns.IncRef()
 	tg := &ThreadGroup{
 		threadGroupNode: threadGroupNode{
 			pidns: pidns,
@@ -364,6 +365,7 @@ func (tg *ThreadGroup) Release(ctx context.Context) {
 	for _, it := range its {
 		it.DestroyTimer()
 	}
+	tg.pidns.DecRef(ctx)
 }
 
 // forEachChildThreadGroupLocked indicates over all child ThreadGroups.

pkg/sentry/kernel/threads.go

@@ -18,6 +18,8 @@ import (
 	"fmt"
 
 	"gvisor.dev/gvisor/pkg/atomicbitops"
+	"gvisor.dev/gvisor/pkg/context"
+	"gvisor.dev/gvisor/pkg/sentry/fsimpl/nsfs"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sync"
 	"gvisor.dev/gvisor/pkg/waiter"
@@ -207,6 +209,8 @@ type PIDNamespace struct {
 
 	// pidNamespaceData contains additional per-PID-namespace data.
 	extra pidNamespaceData
+
+	inode *nsfs.Inode
 }
 
 func newPIDNamespace(ts *TaskSet, parent *PIDNamespace, userns *auth.UserNamespace) *PIDNamespace {
@@ -226,6 +230,11 @@ func newPIDNamespace(ts *TaskSet, parent *PIDNamespace, userns *auth.UserNamespa
 	}
 }
 
+// InitInode creates and sets a new nsfs.Inode.
+func (ns *PIDNamespace) InitInode(ctx context.Context, k *Kernel) {
+	ns.inode = nsfs.NewInode(ctx, k.nsfsMount, ns)
+}
+
 // lastPIDNSID is the last value of PIDNamespace.ID assigned to a PID
 // namespace.
 //
@@ -239,10 +248,35 @@ func NewRootPIDNamespace(userns *auth.UserNamespace) *PIDNamespace {
 	return newPIDNamespace(nil, nil, userns)
 }
 
+// GetInode returns the nsfs inode associated with the namespace.
+func (ns *PIDNamespace) GetInode() *nsfs.Inode {
+	return ns.inode
+}
+
+// IncRef increments the Namespace's refcount.
+func (ns *PIDNamespace) IncRef() {
+	ns.inode.IncRef()
+}
+
+// DecRef decrements the namespace's refcount.
+func (ns *PIDNamespace) DecRef(ctx context.Context) {
+	ns.inode.DecRef(ctx)
+}
+
+// Destroy implements nsfs.Namespace.Destroy.
+func (ns *PIDNamespace) Destroy(ctx context.Context) {}
+
+// Type implements nsfs.Namespace.Type.
+func (ns *PIDNamespace) Type() string {
+	return "pid"
+}
+
 // NewChild returns a new, empty PID namespace that is a child of ns. Authority
 // over the new PID namespace is controlled by userns.
-func (ns *PIDNamespace) NewChild(userns *auth.UserNamespace) *PIDNamespace {
-	return newPIDNamespace(ns.owner, ns, userns)
+func (ns *PIDNamespace) NewChild(ctx context.Context, k *Kernel, userns *auth.UserNamespace) *PIDNamespace {
+	pidns := newPIDNamespace(ns.owner, ns, userns)
+	pidns.InitInode(ctx, k)
+	return pidns
 }
 
 // TaskWithID returns the task with thread ID tid in PID namespace ns. If no
@@ -538,6 +572,12 @@ func (t *Task) PIDNamespace() *PIDNamespace {
 	return t.tg.pidns
 }
 
+// GetPIDNamespace returns the PID namespace containing t.
+func (t *Task) GetPIDNamespace() *PIDNamespace {
+	t.tg.pidns.IncRef()
+	return t.tg.pidns
+}
+
 // TaskSet returns the TaskSet containing t.
 func (t *Task) TaskSet() *TaskSet {
 	return t.tg.pidns.owner

runsc/boot/loader.go

@@ -625,7 +625,7 @@ func New(args Args) (*Loader, error) {
 		VdsoParams:           params,
 		RootUTSNamespace:     kernel.NewUTSNamespace(args.Spec.Hostname, args.Spec.Hostname, creds.UserNamespace),
 		RootIPCNamespace:     kernel.NewIPCNamespace(creds.UserNamespace),
-		PIDNamespace:         kernel.NewRootPIDNamespace(creds.UserNamespace),
+		RootPIDNamespace:     kernel.NewRootPIDNamespace(creds.UserNamespace),
 		MaxFDLimit:           maxFDLimit,
 		UnixSocketOpts:       unixSocketOpts,
 	}); err != nil {
@@ -1090,7 +1090,7 @@ func (l *Loader) startSubcontainer(spec *specs.Spec, conf *config.Config, cid st
 		}
 		if pidns == nil {
 			log.Warningf("PID namespace %q not found, running in new PID namespace", ns.Path)
-			pidns = l.k.RootPIDNamespace().NewChild(l.k.RootUserNamespace())
+			pidns = l.k.RootPIDNamespace().NewChild(l.k.SupervisorContext(), l.k, l.k.RootUserNamespace())
 		}
 		ep.pidnsPath = ns.Path
 	} else {