| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Oct 2014 10:25:53 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: "Serge E. Hallyn" <serge@...lyn.com>
Cc: linux-audit@...hat.com, linux-kernel@...r.kernel.org,
containers@...ts.linux-foundation.org, eparis@...hat.com,
sgrubb@...hat.com, aviro@...hat.com, pmoore@...hat.com,
arozansk@...hat.com, ebiederm@...ssion.com
Subject: Re: [PATCH V5 13/13] Documentation: add a section for /proc/<pid>/ns/
On 14/10/13, Serge E. Hallyn wrote:
> Quoting Richard Guy Briggs (rgb@...hat.com):
> > ---
>
> Acked-by: Serge Hallyn <serge.hallyn@...onical.com>
>
> (some nitpicking below)
>
> Thanks, Richard. IMO this patchset is great at the moment. Now if I
> checkpoint a container, migrate it to another machine, and restart it
> there, the serial numbers will no longer match, but as the creations are
> all logged, userspace can track the changed snum, so I don't believe
> that is a problem. (Pretty sure we've discussed that before, mostly
> mentioning it here to think through it myself)
In fact, these last two are included for completeness, but deprecated,
since as has been pointed out it is visible from inside the container.
I am expecting to drop the last two patches since the necessary
information is available to the audit logs in previous patches, which
can be made available to docker or other container supervisor.
> > Documentation/filesystems/proc.txt | 16 ++++++++++++++++
> > 1 files changed, 16 insertions(+), 0 deletions(-)
> >
> > diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
> > index ddc531a..c4bfd6f 100644
> > --- a/Documentation/filesystems/proc.txt
> > +++ b/Documentation/filesystems/proc.txt
> > @@ -42,6 +42,7 @@ Table of Contents
> > 3.6 /proc/<pid>/comm & /proc/<pid>/task/<tid>/comm
> > 3.7 /proc/<pid>/task/<tid>/children - Information about task children
> > 3.8 /proc/<pid>/fdinfo/<fd> - Information about opened file
> > + 3.9 /proc/<pid>/ns/<ns>{,_snum} - Information about process namespaces
> >
> > 4 Configuring procfs
> > 4.1 Mount options
> > @@ -1744,6 +1745,21 @@ pair provide additional information particular to the objects they represent.
> > optional and may be omitted if no marks created yet.
> >
> >
> > +3.9 /proc/<pid>/ns/<nstype>{,_snum} - Information about process namespaces
> > +--------------------------------------------------------------------------
> > +These files provides information about the namespaces within which the process
>
> s/provides/provide/
>
> > +is contained. The files named only with the namespace type <nstype> contain a
> > +link that lists the containing namespace' inode number in its proc filesystem.
>
> s/'/'s/
>
> ... Maybe add "And which can be used with setns(2)."
>
> > +The files with suffix _snum contain a link that lists the containing
> > +namespace' instance serial number, unique per kernel since boot. The
>
> s/'/'s/
>
> > +namespace types are self-describing.
> > +
> > +The output format of the inode links is:
> > + <nstype>:[<inode_number>]
> > +The output format of the serial number links is:
> > + <nstype>_snum:[<serial_number>]
> > +
> > +
> > ------------------------------------------------------------------------------
> > Configuring procfs
> > ------------------------------------------------------------------------------
> > --
> > 1.7.1
- RGB
--
Richard Guy Briggs <rbriggs@...hat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists