lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2020 14:46:34 -0400 From: Tejun Heo <tj@...nel.org> To: Christian Brauner <christian.brauner@...ntu.com> Cc: Jens Axboe <axboe@...nel.dk>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-kernel@...r.kernel.org, linux-block@...r.kernel.org, linux-api@...r.kernel.org, Jonathan Corbet <corbet@....net>, Serge Hallyn <serge@...lyn.com>, "Rafael J. Wysocki" <rafael@...nel.org>, "David S. Miller" <davem@...emloft.net>, Saravana Kannan <saravanak@...gle.com>, Jan Kara <jack@...e.cz>, David Howells <dhowells@...hat.com>, Seth Forshee <seth.forshee@...onical.com>, David Rheinsberg <david.rheinsberg@...il.com>, Tom Gundersen <teg@...m.no>, Christian Kellner <ckellner@...hat.com>, Dmitry Vyukov <dvyukov@...gle.com>, Stéphane Graber <stgraber@...ntu.com>, linux-doc@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH 4/8] kernfs: handle multiple namespace tags On Wed, Apr 08, 2020 at 05:21:47PM +0200, Christian Brauner wrote: > Since [1] kernfs supports namespace tags. This feature is essential to > enable sysfs to present different views of on various parts depending on > the namespace tag. For example, the /sys/class/net/ directory will only > show network devices that belong to the network namespace that sysfs was > mounted in. This is achieved by stashing a reference to the network > namespace of the task mounting sysfs in the super block. And when a > lookup operation is performed on e.g. /sys/class/net/ kernfs will > compare the network namespace tag of the kernfs_node associated with the > device and kobject of the network device to the network namespace of the > network device. This ensures that only network devices owned by the > network namespace sysfs was mounted in are shown, a feature which is > essential to containers. > For loopfs to show correct permissions in sysfs just as with network > devices we need to be able to tag kernfs_super_info with additional > namespaces. This extension was even already mentioned in a comment to > struct kernfs_super_info: > /* > * Each sb is associated with one namespace tag, currently the > * network namespace of the task which mounted this kernfs > * instance. If multiple tags become necessary, make the following > * an array and compare kernfs_node tag against every entry. > */ > This patch extends the kernfs_super_info and kernfs_fs_context ns > pointers to fixed-size arrays of namespace tags. The size is taken from > the namespaces currently supported by kobjects, i.e. we don't extend it > to cover all namespace but only the ones kernfs needs to support. > In addition, the kernfs_node struct gains an additional member that > indicates the type of namespace this kernfs_node was tagged with. This > allows us to simply retrieve the correct namespace tag from the > kernfs_fs_context and kernfs_super_info ns array with a simple indexing > operation. This has the advantage that we can just keep passing down the > correct namespace instead of passing down the array. > > [1]: 608b4b9548de ("netns: Teach network device kobjects which namespace they are in.") > Cc: Tejun Heo <tj@...nel.org> > Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > Signed-off-by: Christian Brauner <christian.brauner@...ntu.com> Acked-by: Tejun Heo <tj@...nel.org> Thanks. -- tejun
Powered by blists - more mailing lists