| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Feb 2008 09:38:11 -0600 From: serge@...lyn.com To: Pavel Emelyanov <xemul@...nvz.org> Cc: serge@...lyn.com, "Eric W. Biederman" <ebiederm@...ssion.com>, Andrew Morton <akpm@...ux-foundation.org>, David Miller <davem@...emloft.net>, Alexey Dobriyan <adobriyan@...nvz.org>, Linux Netdev List <netdev@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 0/2] Fix /proc/net in presence of net namespaces Quoting Pavel Emelyanov (xemul@...nvz.org): > [snip] > > >> However at least for visibility and inspection we want that. > >> We want to inspect what is happening to other processes. If we didn't > >> care then all of the pid namespaces could just be disjoint. > > > > But the way Pavel has it coded, only tasks in the init namespace can > > view /proc/.net/* for any other net namespaces. > > This is not essential part of the patch :) I did so to make my > life in init namespace easier. This part can be dropped. > > [snip] > > >> Think of user space processes inspecting /proc etc. > > > > Well a task in one pid namespace cannot view the /proc for another pid > > namespace, right? > > No. Pid namespace provides another pid-to-task map, but have noting > to do with VFS visibility. > > >> Having directory > >> names change out form under you for no apparent reason is pretty nasty. > > > > Yes, but they won't just 'change out' from under you, you ask for it... > > But here like I said I do prefer an approach where /proc/net is bind > > mounted by the user. But I have no good reason to back it up... > > If you make /proc/net be a bund mount then you have to force all of > the users to update their init scripts. I tried to make so with sysctl > filesystem, but this thread was not very popular :) Ok. A symlink is far preferable to sneaky redirection imo. > Another way to do so - is to mount this one from inside the kernel, > but are you ready to fight with Al Viro for this? :) Nope :) Especially since it's an ugly idea. > [snip] > > >> So I think /proc/.netns/ or simply /proc/netns/ is a good choice. We > >> just need a non-global id for our directory entries so we don't paint > >> ourselves into a corner. > > > > But I don't see how this is going to work. If you're using a pid_nr > > inside a pid namespace, then you're not guaranteeing that the pid_nr > > will be unique, so you may not be able to create th e/proc/.netns/X > > directory. If you're using the global pid, then you're not guaranteeing > > that it will be available upon a container restart. > > Right - this is the same as using other ids, which I propose. > > >> And honestly pid visibility is a very natural choice for which network > >> namespaces you can see. You can see the namespace of any process you > >> can see. Which especially means your children. It is an arbitrary > >> rule, it is a simple rule to explain, and it works recursively unlike > > > > But apparently not simple enough for a simpleton like me to understand, > > sorry :( > > > >> any init_net is special rule. > >> > >> Eric I suspect I'm misunderstanding Eric's proposal, though. -serge -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists