[lxc-devel] [Fwd: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control.]
Daniel Lezcano
daniel.lezcano at free.fr
Mon Mar 8 15:37:56 UTC 2010
Hi all,
just to let you know there is a discussion and a patchset to enter a
container.
I will prototype the two commands lxc-enter and lxc-exec to make use of
this new kernel functionality. I will be happy if someone is willing to
play with these new commands when they are finished.
I hope the patchset will be available for 2.6.35 :)
-------- Original Message --------
Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing
control.
Date: Mon, 08 Mar 2010 00:32:49 -0800
From: ebiederm at xmission.com (Eric W. Biederman)
To: Daniel Lezcano <daniel.lezcano at free.fr>
CC: Pavel Emelyanov <xemul at parallels.com>, Sukadev Bhattiprolu
<sukadev at linux.vnet.ibm.com>, Serge Hallyn <serue at us.ibm.com>, Linux
Netdev List <netdev at vger.kernel.org>,
containers at lists.linux-foundation.org, Netfilter Development Mailinglist
<netfilter-devel at vger.kernel.org>, Ben Greear <greearb at candelatech.com>
References: <4B88E431.6040609 at parallels.com>
<m1bpfbqajn.fsf at fess.ebiederm.org> <4B894564.7080104 at parallels.com>
<m1iq9io5sc.fsf at fess.ebiederm.org> <4B89727C.9040602 at parallels.com>
<m1ljeempk6.fsf at fess.ebiederm.org> <4B8AE8C1.1030305 at free.fr>
<4B8D28CF.8060304 at parallels.com> <20100302211942.GA17816 at us.ibm.com>
<m1y6iaqsmm.fsf at fess.ebiederm.org> <20100303000743.GA13744 at us.ibm.com>
<m1ocj6qljj.fsf at fess.ebiederm.org> <4B8E9370.3050300 at parallels.com>
<m17hptjh3m.fsf at fess.ebiederm.org> <4B9158F5.5040205 at parallels.com>
<m1vdda1pmx.fsf at fess.ebiederm.org> <4B926B1B.5070207 at free.fr>
<m1aaulyy5c.fsf at fess.ebiederm.org> <4B92C886.9020507 at free.fr>
I have take an snapshot of my development tree and placed it at.
git://git.kernel.org/pub/scm/linux/people/ebiederm/linux-2.6.33-nsfd-v5.git
>> I am going to explore a bit more. Given that nsfd is using the same
>> permission checks as a proc file, I think I can just make it a proc
>> file. Something like "/proc/<pid>/ns/net". With a little luck that
>> won't suck too badly.
>>
> Ah ! yes. Good idea.
It is a hair more code to use proc files but nothing worth counting.
Probably the biggest thing I am aware of right now in my development
tree is in getting uids to pass properly between unix domain sockets
I would up writing this cred_to_ucred function.
Serge can you take a look and check my logic, and do you have
any idea of where we should place something like pid_vnr but
for the uid namespace?
void cred_to_ucred(struct pid *pid, const struct cred *cred,
struct ucred *ucred)
{
ucred->pid = pid_vnr(pid);
ucred->uid = ucred->gid = -1;
if (cred) {
struct user_namespace *cred_ns = cred->user->user_ns;
struct user_namespace *current_ns = current_user_ns();
struct user_namespace *tmp;
if (likely(cred_ns == current_ns)) {
ucred->uid = cred->euid;
ucred->gid = cred->egid;
} else {
/* Is cred in a child user namespace */
tmp = cred_ns;
do {
tmp = tmp->creator->user_ns;
if (tmp == current_ns) {
ucred->uid = tmp->creator->uid;
ucred->gid = overflowgid;
return;
}
} while (tmp != &init_user_ns);
/* Is cred the creator of my user namespace,
* or the creator of one of it's parents?
*/
for( tmp = current_ns; tmp != &init_user_ns;
tmp = tmp->creator->user_ns) {
if (cred->user == tmp->creator) {
ucred->uid = 0;
ucred->gid = 0;
return;
}
}
/* No user namespace relationship so no mapping */
ucred->uid = overflowuid;
ucred->gid = overflowgid;
}
}
}
Eric
More information about the lxc-devel
mailing list