lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 16 Oct 2017 15:07:52 -0700
From:   Nagarathnam Muthusamy <nagarathnam.muthusamy@...cle.com>
To:     Andrew Morton <akpm@...ux-foundation.org>,
        Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
Cc:     Oleg Nesterov <oleg@...hat.com>, linux-api@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Serge Hallyn <serge.hallyn@...ntu.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Eugene Syromiatnikov <esyr@...hat.com>,
        prakash sangappa <prakash.sangappa@...cle.com>
Subject: Re: [PATCH v4] pidns: introduce syscall translate_pid



On 10/16/2017 02:36 PM, Andrew Morton wrote:
> On Sat, 14 Oct 2017 11:17:47 +0300 Konstantin Khlebnikov <khlebnikov@...dex-team.ru> wrote:
>
>>>>> pid_t translate_pid(pid_t pid, int source, int target);
>>>>>
>>>>> This syscall converts pid from source pid-ns into pid in target pid-ns.
>>>>> If pid is unreachable from target pid-ns it returns zero.
>>>>>
>>>>> Pid-namespaces are referred file descriptors opened to proc files
>>>>> /proc/[pid]/ns/pid or /proc/[pid]/ns/pid_for_children. Negative argument
>>>>> refers to current pid namespace, same as file /proc/self/ns/pid.
>>>>>
>>>>> Kernel expose virtual pids in /proc/[pid]/status:NSpid, but backward
>>>>> translation requires scanning all tasks. Also pids could be translated
>>>>> by sending them through unix socket between namespaces, this method is
>>>>> slow and insecure because other side is exposed inside pid namespace.
>> Andrew asked why we might need this.
>>
>> Such conversion is required for interaction between processes across pid-namespaces.
>> For example to identify process in container by pid file looking from outside.
>>
>> Two years ago I've solved this in project of mine with monstrous code which
>> forks couple times just to convert pid, lucky for me performance wasn't important.
> That's a single user who needed this a single time, and found a
> userspace-based solution anyway.  This is not exactly compelling!
>
> Is there a stronger case to be made?  How does this change benefit our
> users?  Sell it to us!
Oracle database is planning to use pid namespace for sandboxing database 
instances and they need an API similar to translate_pid to effectively 
translate process IDs from other pid namespaces. Prakash (cced in mail) 
can provide more details on this usecase.

Thanks,
Nagarathnam.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ