lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACsf_wzWsoGzpHfaktotjXkrAAEgdL9Rp9A+-GD-Vkh24MZGjA@mail.gmail.com>
Date:	Sat, 12 Mar 2016 00:54:43 +0200
From:	Cole <cole@...eqint.net>
To:	David Lang <david@...g.hm>
Cc:	Al Viro <viro@...iv.linux.org.uk>,
	LKML <linux-kernel@...r.kernel.org>,
	"Austin S. Hemmelgarn" <ahferroin7@...il.com>,
	Richard Weinberger <richard@....at>
Subject: Re: Variant symlink filesystem

On 12 March 2016 at 00:48, David Lang <david@...g.hm> wrote:
> On Sat, 12 Mar 2016, Cole wrote:
>
>> On 12 March 2016 at 00:24, Al Viro <viro@...iv.linux.org.uk> wrote:
>>>
>>> On Sat, Mar 12, 2016 at 12:03:11AM +0200, Cole wrote:
>>>
>>>> This was one of the first solutions we looked at, and using various
>>>> namespaces. However we would like to be able to have multiple terminal
>>>> sessions open, and be able to have each session using a different
>>>> mount point, or be able to use the other terminals mount point, i.e.
>>>> switching the mount point to that of the other terminals. We would
>>>> also like the shell to be able to make use of these, and use shell
>>>> commands such as 'ls'.
>>>>
>>>> When we originally looked at namespaces and containers, we could not
>>>> find a solution to achieve the above. Is this possible using
>>>> namespaces?
>>>
>>>
>>> I'd try to look at setns(2) if you want processes joinging existing
>>> namespaces.
>>> I'm afraid that I'll need to get some sleep before I'll be up to asking
>>> the right questions for figuring out what requirements do you have and
>>> what's the best way to do it - after a while coffee stops being efficient
>>> and I'm already several hours past that ;-/
>>
>>
>>
>> Sure, not a problem, when you have time to reply I will gladly welcome
>> any feed back.
>>
>> As for the usage, I'll explain it a bit so that you have something to
>> work off of when you get a chance to read it.
>>
>> The problem we encountered with namespaces when we looked at it more
>> than a year ago was 'how do you get the shell' to join them, or into
>> one. And also how do you move the shell in one terminal session into a
>> namespace that another shell is currently in. We wanted a solution
>> that doesn't require modifying existing programs to make them
>> namespace aware. However, as I said, this was more than a year ago
>> that we looked at it, and we could easily have misunderstood
>> something, or not understood the full functionality available. If you
>> say this is possible, without modifying programs such as bash, could
>> you please point me in the direction of the documentation describing
>> this, and I will try to educate myself.
>
>
> looking at the setns() function, it seems like you could have a suid helper
> program that you run in one session that changes the namespace and then
> invokes a bash shell in that namespace that you then run unmodified stuff
> in.
>
> it seems like there should be a way for a root program to change the
> namespace of another, but I'm not finding it at the moment.
>
> There is the nsenter program that will run a program inside an existing
> namespace. It looks like you need something similar that implements some
> permission checking (only let you go into namespaces of other programs for
> the same user or similar), but you should be able to make proof-of-concept
> scripts with nsenter.

Thank you very much for the explanation and links.

If I understand you correctly, you have described something similar to
how docker functions, with a single daemon that runs, and the various
support binaries make calls to it to perform the necessary functions.
The only concern as you mentioned is that there does not seem to be
any functionality available to move a process from one namespace to
another. However, the only process in my design that would need to do
that would be the shell, so nsenter might be sufficient.

I will look into your suggestions, as it then means I do not need to
have anything inlined into the kernel.

Thank you for all the help and advice.

Regards
/Cole

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ