1555462054 M * Bertl_oO off to bed now ... have a good one everyone! 1555462055 N * Bertl_oO Bertl_zZ 1555473163 J * fstd ~fstd@xdsl-87-78-140-160.nc.de 1555473634 Q * fstd_ Ping timeout: 480 seconds 1555474260 Q * obeardly Ping timeout: 480 seconds 1555474816 J * obeardly ~obeardly@2603:3011:1661:0:9657:a5ff:feae:1552 1555480050 Q * obeardly charon.oftc.net resistance.oftc.net 1555480050 Q * dustinm` charon.oftc.net resistance.oftc.net 1555480050 Q * ntrs charon.oftc.net resistance.oftc.net 1555480050 Q * jrklein charon.oftc.net resistance.oftc.net 1555480050 Q * jrayhawk charon.oftc.net resistance.oftc.net 1555480050 Q * gnarface charon.oftc.net resistance.oftc.net 1555480050 Q * yang__ charon.oftc.net resistance.oftc.net 1555480050 Q * zerick_ charon.oftc.net resistance.oftc.net 1555480050 Q * Aiken charon.oftc.net resistance.oftc.net 1555480050 Q * romster charon.oftc.net resistance.oftc.net 1555480112 J * obeardly ~obeardly@2603:3011:1661:0:9657:a5ff:feae:1552 1555480112 J * Aiken ~Aiken@b951.h.jbmb.net 1555480112 J * dustinm` ~dustinm`@68.ip-149-56-14.net 1555480112 J * ntrs ~ntrs@vault08.rosehosting.com 1555480112 J * romster ~romster@158.140.215.184 1555480112 J * gnarface ~gnarface@108-227-52-42.lightspeed.irvnca.sbcglobal.net 1555480112 J * jrklein ~cloud@34.234.31.16 1555480112 J * yang__ ~yang@199.189.205.50 1555480112 J * jrayhawk ~jrayhawk@nursie.omgwallhack.org 1555480112 J * zerick_ ~zerick@irc.quassel.zerick.io 1555480112 F * resistance.oftc.net +v zerick_ 1555487670 J * hijacker ~nikolay@149.235.255.3 1555492749 M * thithib so about the triggered WARN_ON I mentioned above, it comes from the VServer code snippet in find_child_reaper. Basically VServer doesn't support the fact that something else might be handling its own PIDNS. 1555492764 M * thithib (from what I understand, obviously :) ) 1555492848 M * thithib when the zygote process (PID 1 in Chromium's sandbox PIDNS) exits, its children are reparented to the vx_reaper and thus zap_pid_ns_processes() isn't called 1555492926 M * thithib which in turn means disable_pid_allocation() isn't called and 'ns->nr_hashed &= ~PIDNS_HASH_ADDING' isn't performed 1555492933 M * thithib which triggers the warning 1555495294 Q * romster 1555502477 N * Bertl_zZ Bertl 1555502480 M * Bertl morning folks! 1555502793 M * Bertl thithib: interesting ... 1555502838 M * Bertl beack, so reading up on your reports now 1555502880 Q * transacid Ping timeout: 480 seconds 1555504130 J * romster ~romster@158.140.215.184 1555506622 Q * Aiken Remote host closed the connection 1555506716 Q * romster 1555506922 J * romster ~romster@158.140.215.184 1555507053 J * transacid ~transacid@transacid.de 1555511552 M * thithib so for the first issue (in pid_revalidate()), I've added in the condition: && !vx_check((vxid_t) i_tag_read(inode), VS_IDENT) 1555511574 M * thithib (and removed the d_drop()) 1555511684 M * thithib and for the second issue, I added in the condition in find_child_reaper(): vxi->space[0].vx_nsproxy->pid_ns_for_children == pid_ns 1555511765 M * thithib so that the VServer code snippet doesn't do reaper = vxi->vx_reaper when a process in a PID NS that is different from the PIDNS of the context exits 1555511847 M * thithib so far it seems to solve the Chromium SUID sandbox issue and runs smoothly 1555512173 M * Bertl okay, I do not like the extensive special casing in the main pathes though ... 1555512210 M * Bertl might it be an option to have some kind of flag or capability to enable this? 1555512250 M * Bertl in any case, please be so kind and upload patches for the modification to look at (or send them via email) 1555512294 M * Bertl off for now .. bbl 1555512298 N * Bertl Bertl_oO 1555512352 M * thithib okay, I do not like the extensive special casing in the main pathes though ... // yes, I understand :) 1555512385 M * thithib I'm working on an offline machine so I can't send patches for now 1555512409 M * thithib that's why I've been putting things here 1555512620 M * thithib that's the best I can do for now, sorry for that :/ We'll try to release another version of our port in the future. 1555516489 Q * hijacker 1555517436 Q * Ghislain Ping timeout: 480 seconds 1555518170 J * Ghislain ~Ghislain@areims-651-1-94-247.w90-58.abo.wanadoo.fr 1555525962 M * Bertl_oO thithib: okay, let's take a step back and discuss why you are getting those issues and what your typical use cases are, yes? 1555526056 M * Bertl_oO as far as I understand, you have a bunch of security/isolation related patches combined with moderately recent kernels (grsec, Linux-VServer, etc?) 1555526088 M * Bertl_oO and you create small compartments for single? applications? 1555528057 Q * Ghislain Ping timeout: 480 seconds 1555528101 J * Ghislain ~Ghislain@211.ip-51-68-231.eu 1555531165 J * Aiken ~Aiken@b951.h.jbmb.net 1555536012 Q * Ghislain Ping timeout: 480 seconds 1555536843 Q * obeardly Ping timeout: 480 seconds 1555536868 J * obeardly ~obeardly@2603:3011:1661:0:9657:a5ff:feae:1552 1555539272 J * Ghislain ~Ghislain@211.ip-51-68-231.eu