lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Mar 2014 16:49:23 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Vivek Goyal <vgoyal@...hat.com> Cc: Andy Lutomirski <luto@...capital.net>, Simo Sorce <ssorce@...hat.com>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, cgroups@...r.kernel.org, Network Development <netdev@...r.kernel.org>, "David S. Miller" <davem@...emloft.net>, Tejun Heo <tj@...nel.org>, jkaluza@...hat.com, lpoetter@...hat.com, kay@...hat.com Subject: Re: [PATCH 2/2] net: Implement SO_PEERCGROUP Vivek Goyal <vgoyal@...hat.com> writes: > On Thu, Mar 13, 2014 at 12:58:14PM -0700, Andy Lutomirski wrote: >> On Thu, Mar 13, 2014 at 12:53 PM, Vivek Goyal <vgoyal@...hat.com> wrote: >> > On Thu, Mar 13, 2014 at 10:55:16AM -0700, Andy Lutomirski wrote: >> > >> > [..] >> >> >> 2. Docker is a container system, so use the "container" (aka >> >> >> namespace) APIs. There are probably several clever things that could >> >> >> be done with /proc/<pid>/ns. >> >> > >> >> > pid is racy, if it weren't I would simply go straight >> >> > to /proc/<pid>/cgroups ... >> >> >> >> How about: >> >> >> >> open("/proc/self/ns/ipc", O_RDONLY); >> >> send the result over SCM_RIGHTS? >> > >> > As I don't know I will ask. So what will server now do with this file >> > descriptor of client's ipc namespace. >> > >> > IOW, what information/identifier does it contain which can be >> > used to map to pre-configrued per container/per namespace policies. >> >> Inode number, which will match that assigned to the container at runtime. >> > > But what would I do with this inode number. I am assuming this is > generated dynamically when respective namespace was created. To me > this is like assigning a pid dynamically and one does not create > policies in user space based on pid. Similarly I will not be able > to create policies based on an inode number which is generated > dynamically. > > For it to be useful, it should map to something more static which > user space understands. But the mapping can be done in userspace. stat all of the namespaces you care about, get their inode numbers, and then do a lookup. Hard coding string based names in the kernel the way cgroups does is really pretty terrible and it seriously limits the flexibility of the api, and so far breaks nested containers. Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists