| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Aug 2014 10:52:24 -0700 From: Andy Lutomirski <luto@...capital.net> To: Richard Guy Briggs <rgb@...hat.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Eric Paris <eparis@...hat.com>, Steve Grubb <sgrubb@...hat.com>, arozansk@...hat.com, linux-audit@...hat.com, Linux API <linux-api@...r.kernel.org>, Linux Containers <containers@...ts.linux-foundation.org>, "Serge E. Hallyn" <serge@...lyn.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc On Thu, Aug 21, 2014 at 6:58 PM, Richard Guy Briggs <rgb@...hat.com> wrote: > On 14/08/21, Andy Lutomirski wrote: >> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" <rgb@...hat.com> wrote: >> > Expose the namespace instace serial numbers in the proc filesystem at >> > /proc/<pid>/ns/<ns>_snum. The link text gives the serial number in hex. >> >> What's the use case? >> >> I understand the utility of giving unique numbers to the audit code, >> but I don't think this part is necessary for that, and I'd like to >> understand what else will use this before committing to a duplicative >> API like this. > > How does a container manager get those numbers? It could provoke a task > to cause an audit event that emits a NS_INFO message, or it could run a > task in that container to report its namespace serial numbers directly > from its /proc mount. Why does a container manager need them? Is there any reason that keeping them entirely contained within the audit system would be a problem? > > The discussion in this thread touches on the use cases: > https://lkml.org/lkml/2014/4/22/662 > >> Note that this API is thoroughly incompatible with CRIU. If we do >> this, someone will ask for a namespace number namespace, and that way >> lies madness. > > I had a very brief look at CRIU, but not enough to understand the issue. > Others have hinted at this problem. > > Do you have a suggestion of a different approach that would be > compatible with CRIU? > > I'd originally considered some sort of UUID that would be globally > unique, but that would be very hard to devise or guarantee, and besides, > namespaces aren't only used by containers and could be shared in other > ways. Tracking the usage and migration of namespaces should be the task > of an upper layer. > CRIU wants to save the complete state of a namespace and then restore it. For that to work, any information exposed to things in the namespace *cannot* be globally unique or unique per boot, since CRIU needs to arrange for that information to match whatever it was when CRIU saved it. Also, I think that code running in a namespace has no business even knowing a unique identity of that namespace from the perspective of the host. Here's a specific use case for *not* exposing this: Tor. Ideally, Tor clients would run in a namespace that does not know about any global identity. That means no IP addresses, but it also means no global namespace serial numbers. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists