lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160802194437.GD15324@fieldses.org>
Date:	Tue, 2 Aug 2016 15:44:37 -0400
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Nikolay Borisov <kernel@...p.com>, jlayton@...chiereds.net,
	viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	containers@...ts.linux-foundation.org, serge.hallyn@...onical.com
Subject: Re: [RFC PATCH] locks: Show only file_locks created in the same
 pidns as current process

On Tue, Aug 02, 2016 at 02:09:22PM -0500, Eric W. Biederman wrote:
> "J. Bruce Fields" <bfields@...ldses.org> writes:
> 
> > On Tue, Aug 02, 2016 at 11:00:39AM -0500, Eric W. Biederman wrote:
> >> Nikolay Borisov <kernel@...p.com> writes:
> >> 
> >> > Currently when /proc/locks is read it will show all the file locks
> >> > which are currently created on the machine. On containers, hosted
> >> > on busy servers this means that doing lsof can be very slow. I
> >> > observed up to 5 seconds stalls reading 50k locks, while the container
> >> > itself had only a small number of relevant entries. Fix it by
> >> > filtering the locks listed by the pidns of the current process
> >> > and the process which created the lock.
> >> 
> >> The locks always confuse me so I am not 100% connecting locks
> >> to a pid namespace is appropriate.
> >> 
> >> That said if you are going to filter by pid namespace please use the pid
> >> namespace of proc, not the pid namespace of the process reading the
> >> file.
> >
> > Oh, that makes sense, thanks.
> >
> > What does /proc/mounts use, out of curiosity?  The mount namespace that
> > /proc was originally mounted in?
> 
> /proc/mounts -> /proc/self/mounts

D'oh, I knew that.

> /proc/[pid]/mounts lists mounts from the mount namespace of the
> appropriate process.
> 
> That is another way to go but it is a tread carefully thing as changing
> things that way it is easy to surprise apparmor or selinux rules and be
> surprised you broke someones userspace in a way that prevents booting.
> Although I suspect /proc/locks isn't too bad.

OK, thanks.

/proc/[pid]/locks might be confusing.  I'd expect it to be "all the
locks owned by this task", rather than "all the locks owned by pid's in
the same pid namespace", or whatever criterion we choose.

Uh, I'm still trying to think of the Obviously Right solution here, and
it's not coming.

--b.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ