[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250506-umtriebe-rhabarber-161f1fcffe56@brauner>
Date: Tue, 6 May 2025 09:33:58 +0200
From: Christian Brauner <brauner@...nel.org>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: alexander@...alicyn.com, bluca@...ian.org, daan.j.demeyer@...il.com,
davem@...emloft.net, david@...dahead.eu, edumazet@...gle.com, horms@...nel.org,
jack@...e.cz, jannh@...gle.com, kuba@...nel.org, lennart@...ttering.net,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, me@...dnzj.com,
netdev@...r.kernel.org, oleg@...hat.com, pabeni@...hat.com, viro@...iv.linux.org.uk,
zbyszek@...waw.pl
Subject: Re: [PATCH RFC v3 00/10] coredump: add coredump socket
> > The coredump socket is located in the initial network namespace.
>
> I understand this is a reasonable decision to avoid complicated
> path management in the mount ns but keep connectivity from any
> namespace.
Yes, path lookup would not just be horrid it would also require playing
around with credentials and current->fs. The beauty in this
implementation is that its the crash dumping process itself which does
everything.
> > To bind
> > the coredump socket userspace must hold CAP_SYS_ADMIN in the initial
> > user namespace. Listening and reading can happen from whatever
> > unprivileged context is necessary to safely process coredumps.
> >
> > When a task coredumps it opens a client socket in the initial network
> > namespace and connects to the coredump socket. For now only tasks that
> > are acctually coredumping are allowed to connect to the initial coredump
> > socket.
>
> This can be controlled by BPF (cgroup sockops or LSM) if a user
> really cares about spam clients.
>
> I think how to set up coredump is userspace responsibility.
I'll reply to that in the other thread so we don't have millions of
branch points.
> > - Since unix_stream_connect() runs bpf programs during connect it's
> > possible to even redirect or multiplex coredumps to other sockets.
>
> If the socket is in a cgroup, yes, and even if not, BPF LSM can
> reject some requests.
Indeed. I've outlined that in an earlier version as well.
> > - The coredump server should mark itself as non-dumpable.
> > To capture coredumps for the coredump server itself a bpf program
> > should be run at connect to redirect it to another socket in
> > userspace. This can be useful for debugging crashing coredump servers.
> >
> > - A container coredump server in a separate network namespace can simply
> > bind to linuxafsk/coredump.socket and systemd-coredump fowards
> > coredumps to the container.
>
> I think the name should be also configurable in non-initial netns.
I don't see a good reason for this. We can always relax that later if we
have to. The fixed address keeps the coredump setup very very dumb and
simple.
Powered by blists - more mailing lists