lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 06 Nov 2008 18:02:24 -0800
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org, adobriyan@...il.com,
	viro@...IV.linux.org.uk, containers@...ts.osdl.org
Subject: Re: [PATCH 2/7] proc: Implement support for automounts in task directories

Andrew Morton <akpm@...ux-foundation.org> writes:

> On Thu, 06 Nov 2008 02:48:35 -0800
> ebiederm@...ssion.com (Eric W. Biederman) wrote:
>
>> This is a genearl mechanism that is capable of removing
>> any unused mounts on /proc in any directory.  As we flush
>> the mounts when a processes dies this mechanism is tailored
>> for flushing mounts in the per task and per task group
>> directories.
>
> What I'm missing here is any sense of what these patches are for,
> where they're headed, what the big picture is, etc?

Sorry.

> My vague guess is that perhaps it has something to do with mounting
> procfs multiple times in separate containers.  How did I do?

The big picture is that right now /proc/<pid>/net/stat
is a directory that is hard linked in different locations.

Which means you can deadlock rename at the vfs level
(despite the fact that proc doesn't support rename).

So this patchset splits /proc/net out into it's own filesystem
so we don't have multiple hard links.

It uses the vfs level automounts  to preserve backwards compatibility
so user space does not need to explicitly mount /proc/<pid>/net.

When Al noticed the problem there was some security drama, and
people were privately cc'd etc.  And however it works I am incompetent
at getting patches merged in that kind of environment.  So these
patches have languished since the middle of September.

On one level these patches constitute a bug fix for the bug
of having multiple hard links in /proc/net.  At another level
these patches are a clean up and a nice to have feature.  Allowing
a network namespace to be monitored in the weird interval between when
the last processes goes away and when the network namespace is destroyed.
Because you can mount /proc/net independently.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ