| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2020 14:46:34 -0400
From: Tejun Heo <tj@...nel.org>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: Jens Axboe <axboe@...nel.dk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org, linux-block@...r.kernel.org,
linux-api@...r.kernel.org, Jonathan Corbet <corbet@....net>,
Serge Hallyn <serge@...lyn.com>,
"Rafael J. Wysocki" <rafael@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Saravana Kannan <saravanak@...gle.com>,
Jan Kara <jack@...e.cz>, David Howells <dhowells@...hat.com>,
Seth Forshee <seth.forshee@...onical.com>,
David Rheinsberg <david.rheinsberg@...il.com>,
Tom Gundersen <teg@...m.no>,
Christian Kellner <ckellner@...hat.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Stéphane Graber <stgraber@...ntu.com>,
linux-doc@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH 4/8] kernfs: handle multiple namespace tags
On Wed, Apr 08, 2020 at 05:21:47PM +0200, Christian Brauner wrote:
> Since [1] kernfs supports namespace tags. This feature is essential to
> enable sysfs to present different views of on various parts depending on
> the namespace tag. For example, the /sys/class/net/ directory will only
> show network devices that belong to the network namespace that sysfs was
> mounted in. This is achieved by stashing a reference to the network
> namespace of the task mounting sysfs in the super block. And when a
> lookup operation is performed on e.g. /sys/class/net/ kernfs will
> compare the network namespace tag of the kernfs_node associated with the
> device and kobject of the network device to the network namespace of the
> network device. This ensures that only network devices owned by the
> network namespace sysfs was mounted in are shown, a feature which is
> essential to containers.
> For loopfs to show correct permissions in sysfs just as with network
> devices we need to be able to tag kernfs_super_info with additional
> namespaces. This extension was even already mentioned in a comment to
> struct kernfs_super_info:
> /*
> * Each sb is associated with one namespace tag, currently the
> * network namespace of the task which mounted this kernfs
> * instance. If multiple tags become necessary, make the following
> * an array and compare kernfs_node tag against every entry.
> */
> This patch extends the kernfs_super_info and kernfs_fs_context ns
> pointers to fixed-size arrays of namespace tags. The size is taken from
> the namespaces currently supported by kobjects, i.e. we don't extend it
> to cover all namespace but only the ones kernfs needs to support.
> In addition, the kernfs_node struct gains an additional member that
> indicates the type of namespace this kernfs_node was tagged with. This
> allows us to simply retrieve the correct namespace tag from the
> kernfs_fs_context and kernfs_super_info ns array with a simple indexing
> operation. This has the advantage that we can just keep passing down the
> correct namespace instead of passing down the array.
>
> [1]: 608b4b9548de ("netns: Teach network device kobjects which namespace they are in.")
> Cc: Tejun Heo <tj@...nel.org>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
Acked-by: Tejun Heo <tj@...nel.org>
Thanks.
--
tejun
Powered by blists - more mailing lists