| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Feb 2010 17:52:03 -0500 From: Oren Laadan <orenl@...columbia.edu> To: "Eric W. Biederman" <ebiederm@...ssion.com> CC: Pavel Emelyanov <xemul@...allels.com>, Ben Greear <greearb@...delatech.com>, Linux Netdev List <netdev@...r.kernel.org>, containers@...ts.linux-foundation.org, Netfilter Development Mailinglist <netfilter-devel@...r.kernel.org>, Daniel Lezcano <dlezcano@...ibm.com> Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control. Eric W. Biederman wrote: > Oren Laadan <orenl@...columbia.edu> writes: > >> Eric W. Biederman wrote: >>> Pavel Emelyanov <xemul@...allels.com> writes: >>> >>>>>> Yet another set of per-namespace IDs along with CLONE_NEWXXX ones? >>>>>> I currently have a way to create all namespaces we have with one >>>>>> syscall. Why don't we have an ability to enter them all with one syscall? >>>>> The CLONE_NEWXXX series of bits has been an royal pain to work with, >>>>> and it appears to be unnecessary complications for no gain. >>>> That's the answer for the "Yet another set..." question. >>>> How about the "Why don't we have..." one? >>> I am not certain which question you are asking: >>> >>> Why don't we have an ability to enter all namespaces with one syscall >>> invocation? >> That's how I understood the question, and I, too, wonder why not ? >> >> By the way, an alternative to using bitmap is to change the prototype >> of setns() to accept an array of FD's: >> >> int setns(int *fds, int nfds); >> >> So the process will atomically enter all the namespaces as specified >> by the FDs. > > We could. Mostly I implemented things in the simplest way possible. > > Semantically I know of no reason why need to enter more than one namespace > at once, and I don't expect entering a namespace to be on anyone's fast > path so every last drop of performance was not crucial. > > The only justification I can think of for more than one namespace at a > time is that because we have a synchronize_rcu() in the kernel we can > loop in the kernel much more quickly than we can loop in userspace. Can't think of a specific scenario, but I wonder if there would be a problem (security or otherwise) with a process that only partly belongs to a container, even if for a short time ? Oren. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists