[lxc-devel] [Fwd: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control.]

Daniel Lezcano daniel.lezcano at free.fr
Mon Mar 8 15:37:56 UTC 2010


Hi all,

just to let you know there is a discussion and a patchset to enter a 
container.

I will prototype the two commands lxc-enter and lxc-exec to make use of 
this new kernel functionality. I will be happy if someone is willing to 
play with these new commands when they are finished.

I hope the patchset will be available for 2.6.35 :)



-------- Original Message --------
Subject: 	Re: [RFC][PATCH] ns: Syscalls for better namespace sharing 
control.
Date: 	Mon, 08 Mar 2010 00:32:49 -0800
From: 	ebiederm at xmission.com (Eric W. Biederman)
To: 	Daniel Lezcano <daniel.lezcano at free.fr>
CC: 	Pavel Emelyanov <xemul at parallels.com>, Sukadev Bhattiprolu 
<sukadev at linux.vnet.ibm.com>, Serge Hallyn <serue at us.ibm.com>, Linux 
Netdev List <netdev at vger.kernel.org>, 
containers at lists.linux-foundation.org, Netfilter Development Mailinglist 
<netfilter-devel at vger.kernel.org>, Ben Greear <greearb at candelatech.com>
References: 	<4B88E431.6040609 at parallels.com> 
<m1bpfbqajn.fsf at fess.ebiederm.org> <4B894564.7080104 at parallels.com> 
<m1iq9io5sc.fsf at fess.ebiederm.org> <4B89727C.9040602 at parallels.com> 
<m1ljeempk6.fsf at fess.ebiederm.org> <4B8AE8C1.1030305 at free.fr> 
<4B8D28CF.8060304 at parallels.com> <20100302211942.GA17816 at us.ibm.com> 
<m1y6iaqsmm.fsf at fess.ebiederm.org> <20100303000743.GA13744 at us.ibm.com> 
<m1ocj6qljj.fsf at fess.ebiederm.org> <4B8E9370.3050300 at parallels.com> 
<m17hptjh3m.fsf at fess.ebiederm.org> <4B9158F5.5040205 at parallels.com> 
<m1vdda1pmx.fsf at fess.ebiederm.org> <4B926B1B.5070207 at free.fr> 
<m1aaulyy5c.fsf at fess.ebiederm.org> <4B92C886.9020507 at free.fr>



I have take an snapshot of my development tree and placed it at.


git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git


>> I am going to explore a bit more.  Given that nsfd is using the same
>> permission checks as a proc file, I think I can just make it a proc
>> file.  Something like "/proc/<pid>/ns/net".  With a little luck that
>> won't suck too badly.
>>   
> Ah ! yes. Good idea.

It is a hair more code to use proc files but nothing worth counting.

Probably the biggest thing I am aware of right now in my development
tree is in getting uids to pass properly between unix domain sockets
I would up writing this cred_to_ucred function.

Serge can you take a look and check my logic, and do you have
any idea of where we should place something like pid_vnr but
for the uid namespace?

void cred_to_ucred(struct pid *pid, const struct cred *cred,
		   struct ucred *ucred)
{
	ucred->pid = pid_vnr(pid);
	ucred->uid = ucred->gid = -1;
	if (cred) {
		struct user_namespace *cred_ns = cred->user->user_ns;
		struct user_namespace *current_ns = current_user_ns();
		struct user_namespace *tmp;

		if (likely(cred_ns == current_ns)) {
			ucred->uid = cred->euid;
			ucred->gid = cred->egid;
		} else {
			/* Is cred in a child user namespace */
			tmp = cred_ns;
			do {
				tmp = tmp->creator->user_ns;
				if (tmp == current_ns) {
					ucred->uid = tmp->creator->uid;
					ucred->gid = overflowgid;
					return;
				}
			} while (tmp != &init_user_ns);

			/* Is cred the creator of my user namespace,
			 * or the creator of one of it's parents?
			 */
			for( tmp = current_ns; tmp != &init_user_ns;
			     tmp = tmp->creator->user_ns) {
				if (cred->user == tmp->creator) {
					ucred->uid = 0;
					ucred->gid = 0;
					return;
				}
			}

			/* No user namespace relationship so no mapping */
			ucred->uid = overflowuid;
			ucred->gid = overflowgid;
		}
	}
}

Eric







More information about the lxc-devel mailing list