* [PATCH RESEND 0/2] Expose task pid_ns_for_children to userspace @ 2017-03-30 10:27 Kirill Tkhai 2017-03-30 10:27 ` [PATCH RESEND 1/2] ns: Allow ns_entries to have custom symlink content Kirill Tkhai [not found] ` <149086931397.4388.9604947335273204415.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 0 siblings, 2 replies; 8+ messages in thread From: Kirill Tkhai @ 2017-03-30 10:27 UTC (permalink / raw) To: agruenba, keescook, linux-api, linux-kernel, viro, oleg, paul, ebiederm, avagin, linux-fsdevel, mtk.manpages, akpm, luto, mingo, serge pid_ns_for_children set by a task is known only to the task itself, and it's impossible to identify it from outside. It's a big problem for checkpoint/restore software like CRIU, because it can't correctly handle tasks, that do setns(CLONE_NEWPID) in proccess of their work. If they have a custom pid_ns_for_children before dump, they must have the same ns after restore. Otherwise, restored task bumped into enviroment it does not expect. This patchset solves the problem. It exposes pid_ns_for_children to ns directory in standard way with the name "pid_for_children": ~# ls /proc/5531/ns -l | grep pid lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] --- Kirill Tkhai (2): ns: Allow ns_entries to have custom symlink content pidns: Expose task pid_ns_for_children to userspace fs/nsfs.c | 4 +++- fs/proc/namespaces.c | 1 + include/linux/proc_ns.h | 2 ++ kernel/pid_namespace.c | 25 +++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 1 deletion(-) -- Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH RESEND 1/2] ns: Allow ns_entries to have custom symlink content 2017-03-30 10:27 [PATCH RESEND 0/2] Expose task pid_ns_for_children to userspace Kirill Tkhai @ 2017-03-30 10:27 ` Kirill Tkhai [not found] ` <149086931397.4388.9604947335273204415.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 1 sibling, 0 replies; 8+ messages in thread From: Kirill Tkhai @ 2017-03-30 10:27 UTC (permalink / raw) To: agruenba, keescook, linux-api, linux-kernel, viro, oleg, paul, ebiederm, avagin, linux-fsdevel, mtk.manpages, akpm, luto, mingo, serge Make possible to have link content prefix yyy different from the link name xxx: $ readlink /proc/[pid]/ns/xxx yyy:[4026531838] This will be used in next patch. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Acked-by: Andrei Vagin <avagin@virtuozzo.com> --- fs/nsfs.c | 4 +++- include/linux/proc_ns.h | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/nsfs.c b/fs/nsfs.c index 1656843e87d2..495f12b83a7b 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -195,9 +195,11 @@ int ns_get_name(char *buf, size_t size, struct task_struct *task, { struct ns_common *ns; int res = -ENOENT; + const char *name; ns = ns_ops->get(task); if (ns) { - res = snprintf(buf, size, "%s:[%u]", ns_ops->name, ns->inum); + name = ns_ops->real_ns_name ? : ns_ops->name; + res = snprintf(buf, size, "%s:[%u]", name, ns->inum); ns_ops->put(ns); } return res; diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 12cb8bd81d2d..88dba3b53375 100644 --- a/include/linux/proc_ns.h +++ b/include/linux/proc_ns.h @@ -14,6 +14,7 @@ struct inode; struct proc_ns_operations { const char *name; + const char *real_ns_name; int type; struct ns_common *(*get)(struct task_struct *task); void (*put)(struct ns_common *ns); ^ permalink raw reply related [flat|nested] 8+ messages in thread
[parent not found: <149086931397.4388.9604947335273204415.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>]
* [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace [not found] ` <149086931397.4388.9604947335273204415.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> @ 2017-03-30 10:27 ` Kirill Tkhai [not found] ` <149086967937.4388.471494976517194744.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Kirill Tkhai @ 2017-03-30 10:27 UTC (permalink / raw) To: agruenba-H+wXaHxf7aLQT0dZR+AlfA, keescook-F7+t8E8rja9g9hUCZPvPmw, linux-api-u79uwXL29TY76Z2rM5mHXA, linux-kernel-u79uwXL29TY76Z2rM5mHXA, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, oleg-H+wXaHxf7aLQT0dZR+AlfA, paul-r2n+y4ga6xFZroRs9YW3xA, ebiederm-aS9lmoZGLiVWk0Htik3J/w, avagin-GEFAQzZX7r8dnm+yROfE0A, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b, luto-kltTT9wpgjJwATOyAt5JVQ, mingo-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA pid_ns_for_children set by a task is known only to the task itself, and it's impossible to identify it from outside. It's a big problem for checkpoint/restore software like CRIU, because it can't correctly handle tasks, that do setns(CLONE_NEWPID) in proccess of their work. This patch solves the problem, and it exposes pid_ns_for_children to ns directory in standard way with the name "pid_for_children": ~# ls /proc/5531/ns -l | grep pid lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] Signed-off-by: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> Reviewed-by: Cyrill Gorcunov <gorcunov-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org> Acked-by: Andrei Vagin <avagin-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> --- fs/proc/namespaces.c | 1 + include/linux/proc_ns.h | 1 + kernel/pid_namespace.c | 25 +++++++++++++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 766f0c637ad1..3803b24ca220 100644 --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { #endif #ifdef CONFIG_PID_NS &pidns_operations, + &pidns_for_children_operations, #endif #ifdef CONFIG_USER_NS &userns_operations, diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 88dba3b53375..58ab28d81fc2 100644 --- a/include/linux/proc_ns.h +++ b/include/linux/proc_ns.h @@ -27,6 +27,7 @@ extern const struct proc_ns_operations netns_operations; extern const struct proc_ns_operations utsns_operations; extern const struct proc_ns_operations ipcns_operations; extern const struct proc_ns_operations pidns_operations; +extern const struct proc_ns_operations pidns_for_children_operations; extern const struct proc_ns_operations userns_operations; extern const struct proc_ns_operations mntns_operations; extern const struct proc_ns_operations cgroupns_operations; diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index de461aa0bf9a..4dd02ff0b0bd 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -374,6 +374,20 @@ static struct ns_common *pidns_get(struct task_struct *task) return ns ? &ns->ns : NULL; } +static struct ns_common *pidns_for_children_get(struct task_struct *task) +{ + struct pid_namespace *ns = NULL; + + task_lock(task); + if (task->nsproxy) { + ns = task->nsproxy->pid_ns_for_children; + get_pid_ns(ns); + } + task_unlock(task); + + return ns ? &ns->ns : NULL; +} + static void pidns_put(struct ns_common *ns) { put_pid_ns(to_pid_ns(ns)); @@ -443,6 +457,17 @@ const struct proc_ns_operations pidns_operations = { .get_parent = pidns_get_parent, }; +const struct proc_ns_operations pidns_for_children_operations = { + .name = "pid_for_children", + .real_ns_name = "pid", + .type = CLONE_NEWPID, + .get = pidns_for_children_get, + .put = pidns_put, + .install = pidns_install, + .owner = pidns_owner, + .get_parent = pidns_get_parent, +}; + static __init int pid_namespaces_init(void) { pid_ns_cachep = KMEM_CACHE(pid_namespace, SLAB_PANIC); ^ permalink raw reply related [flat|nested] 8+ messages in thread
[parent not found: <149086967937.4388.471494976517194744.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>]
* Re: [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace [not found] ` <149086967937.4388.471494976517194744.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> @ 2017-03-30 22:05 ` Andrew Morton 2017-03-31 1:04 ` Andrei Vagin 0 siblings, 1 reply; 8+ messages in thread From: Andrew Morton @ 2017-03-30 22:05 UTC (permalink / raw) To: Kirill Tkhai Cc: agruenba-H+wXaHxf7aLQT0dZR+AlfA, keescook-F7+t8E8rja9g9hUCZPvPmw, linux-api-u79uwXL29TY76Z2rM5mHXA, linux-kernel-u79uwXL29TY76Z2rM5mHXA, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, oleg-H+wXaHxf7aLQT0dZR+AlfA, paul-r2n+y4ga6xFZroRs9YW3xA, ebiederm-aS9lmoZGLiVWk0Htik3J/w, avagin-GEFAQzZX7r8dnm+yROfE0A, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w, luto-kltTT9wpgjJwATOyAt5JVQ, mingo-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA On Thu, 30 Mar 2017 13:27:59 +0300 Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: > pid_ns_for_children set by a task is known only to the task itself, > and it's impossible to identify it from outside. > > It's a big problem for checkpoint/restore software like CRIU, > because it can't correctly handle tasks, that do setns(CLONE_NEWPID) > in proccess of their work. > > This patch solves the problem, and it exposes pid_ns_for_children > to ns directory in standard way with the name "pid_for_children": > > ~# ls /proc/5531/ns -l | grep pid > lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] > lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] > > --- a/fs/proc/namespaces.c > +++ b/fs/proc/namespaces.c > @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { > #endif > #ifdef CONFIG_PID_NS > &pidns_operations, > + &pidns_for_children_operations, > #endif This interface should be documented somewhere under Documentation/. But I can't immediately find where the /proc/pid/ns/ pseudo-files are documented... ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace 2017-03-30 22:05 ` Andrew Morton @ 2017-03-31 1:04 ` Andrei Vagin [not found] ` <20170331010409.GA22895-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Andrei Vagin @ 2017-03-31 1:04 UTC (permalink / raw) To: Andrew Morton Cc: Kirill Tkhai, agruenba, keescook, linux-api, linux-kernel, viro, oleg, paul, ebiederm, avagin, linux-fsdevel, mtk.manpages, luto, mingo, serge On Thu, Mar 30, 2017 at 03:05:20PM -0700, Andrew Morton wrote: > On Thu, 30 Mar 2017 13:27:59 +0300 Kirill Tkhai <ktkhai@virtuozzo.com> wrote: > > > pid_ns_for_children set by a task is known only to the task itself, > > and it's impossible to identify it from outside. > > > > It's a big problem for checkpoint/restore software like CRIU, > > because it can't correctly handle tasks, that do setns(CLONE_NEWPID) > > in proccess of their work. > > > > This patch solves the problem, and it exposes pid_ns_for_children > > to ns directory in standard way with the name "pid_for_children": > > > > ~# ls /proc/5531/ns -l | grep pid > > lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] > > lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] > > > > --- a/fs/proc/namespaces.c > > +++ b/fs/proc/namespaces.c > > @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { > > #endif > > #ifdef CONFIG_PID_NS > > &pidns_operations, > > + &pidns_for_children_operations, > > #endif > > This interface should be documented somewhere under Documentation/. > But I can't immediately find where the /proc/pid/ns/ pseudo-files are > documented... I know that they are documented in man7/namespaces.7 https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/namespaces.7#n187 > > ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20170331010409.GA22895-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org>]
* Re: [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace [not found] ` <20170331010409.GA22895-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org> @ 2017-03-31 9:45 ` Kirill Tkhai [not found] ` <0825f166-6f20-59a9-45a9-5ffe9009150e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Kirill Tkhai @ 2017-03-31 9:45 UTC (permalink / raw) To: Andrei Vagin, Andrew Morton Cc: agruenba-H+wXaHxf7aLQT0dZR+AlfA, keescook-F7+t8E8rja9g9hUCZPvPmw, linux-api-u79uwXL29TY76Z2rM5mHXA, linux-kernel-u79uwXL29TY76Z2rM5mHXA, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn, oleg-H+wXaHxf7aLQT0dZR+AlfA, paul-r2n+y4ga6xFZroRs9YW3xA, ebiederm-aS9lmoZGLiVWk0Htik3J/w, avagin-GEFAQzZX7r8dnm+yROfE0A, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w, luto-kltTT9wpgjJwATOyAt5JVQ, mingo-DgEjT+Ai2ygdnm+yROfE0A, serge-A9i7LUbDfNHQT0dZR+AlfA On 31.03.2017 04:04, Andrei Vagin wrote: > On Thu, Mar 30, 2017 at 03:05:20PM -0700, Andrew Morton wrote: >> On Thu, 30 Mar 2017 13:27:59 +0300 Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: >> >>> pid_ns_for_children set by a task is known only to the task itself, >>> and it's impossible to identify it from outside. >>> >>> It's a big problem for checkpoint/restore software like CRIU, >>> because it can't correctly handle tasks, that do setns(CLONE_NEWPID) >>> in proccess of their work. >>> >>> This patch solves the problem, and it exposes pid_ns_for_children >>> to ns directory in standard way with the name "pid_for_children": >>> >>> ~# ls /proc/5531/ns -l | grep pid >>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] >>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] >>> >>> --- a/fs/proc/namespaces.c >>> +++ b/fs/proc/namespaces.c >>> @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { >>> #endif >>> #ifdef CONFIG_PID_NS >>> &pidns_operations, >>> + &pidns_for_children_operations, >>> #endif >> >> This interface should be documented somewhere under Documentation/. >> But I can't immediately find where the /proc/pid/ns/ pseudo-files are >> documented... > > I know that they are documented in man7/namespaces.7 > > https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/namespaces.7#n187 I suggest the below patch, but it's too early for the man description till the feature is in mainline, because the man page requires commit id of the feature. [PATCH] namespaces.7: Document the /proc/[pid]/ns/pid_for_children file Signed-off-by: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> --- man7/namespaces.7 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 6dfceaa2a..06041774f 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -125,6 +125,7 @@ lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836] +lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children -> pid:[4026531834] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838] .fi @@ -186,7 +187,14 @@ This file is a handle for the network namespace of the process. .TP .IR /proc/[pid]/ns/pid " (since Linux 3.8)" .\" commit 57e8391d327609cbf12d843259c968b9e5c1838f -This file is a handle for the PID namespace of the process. +This file is a handle for the PID namespace of the process. It's +permanent during the whole process life. +.TP +.IR /proc/[pid]/ns/pid_for_children " (since Linux 4.12)" +.\" commit FIXME +This file is a handle for the PID namespace of a next born child +of the process. It's changed after unshare(2) and via setns(2), +so the file may differ from /proc/[pid]/ns/pid. .TP .IR /proc/[pid]/ns/user " (since Linux 3.8)" .\" commit cde1975bc242f3e1072bde623ef378e547b73f91 ^ permalink raw reply related [flat|nested] 8+ messages in thread
[parent not found: <0825f166-6f20-59a9-45a9-5ffe9009150e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org>]
* Re: [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace [not found] ` <0825f166-6f20-59a9-45a9-5ffe9009150e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> @ 2017-03-31 15:06 ` Kees Cook [not found] ` <CAGXu5jJYTrOB1A0V9V8NOtLUF_D52RwtqFUcfsCiC-Jm3Z5G2w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 8+ messages in thread From: Kees Cook @ 2017-03-31 15:06 UTC (permalink / raw) To: Kirill Tkhai, Michael Kerrisk Cc: Andrei Vagin, Andrew Morton, Andreas Gruenbacher, Linux API, LKML, Al Viro, Oleg Nesterov, Paul Moore, Eric W. Biederman, Andrew Vagin, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, Andy Lutomirski, Ingo Molnar, Serge E. Hallyn On Fri, Mar 31, 2017 at 2:45 AM, Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: > On 31.03.2017 04:04, Andrei Vagin wrote: >> On Thu, Mar 30, 2017 at 03:05:20PM -0700, Andrew Morton wrote: >>> On Thu, 30 Mar 2017 13:27:59 +0300 Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: >>> >>>> pid_ns_for_children set by a task is known only to the task itself, >>>> and it's impossible to identify it from outside. >>>> >>>> It's a big problem for checkpoint/restore software like CRIU, >>>> because it can't correctly handle tasks, that do setns(CLONE_NEWPID) >>>> in proccess of their work. >>>> >>>> This patch solves the problem, and it exposes pid_ns_for_children >>>> to ns directory in standard way with the name "pid_for_children": >>>> >>>> ~# ls /proc/5531/ns -l | grep pid >>>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] >>>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] >>>> >>>> --- a/fs/proc/namespaces.c >>>> +++ b/fs/proc/namespaces.c >>>> @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { >>>> #endif >>>> #ifdef CONFIG_PID_NS >>>> &pidns_operations, >>>> + &pidns_for_children_operations, >>>> #endif >>> >>> This interface should be documented somewhere under Documentation/. >>> But I can't immediately find where the /proc/pid/ns/ pseudo-files are >>> documented... >> >> I know that they are documented in man7/namespaces.7 >> >> https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/namespaces.7#n187 > > I suggest the below patch, but it's too early for the man description till > the feature is in mainline, because the man page requires commit id of the feature. > > [PATCH] namespaces.7: Document the /proc/[pid]/ns/pid_for_children file > > Signed-off-by: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> > --- > man7/namespaces.7 | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > diff --git a/man7/namespaces.7 b/man7/namespaces.7 > index 6dfceaa2a..06041774f 100644 > --- a/man7/namespaces.7 > +++ b/man7/namespaces.7 > @@ -125,6 +125,7 @@ lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839] > lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840] > lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969] > lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836] > +lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children -> pid:[4026531834] Minor nit: this needs to be "\-" for the "-" > lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837] > lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838] > .fi > @@ -186,7 +187,14 @@ This file is a handle for the network namespace of the process. > .TP > .IR /proc/[pid]/ns/pid " (since Linux 3.8)" > .\" commit 57e8391d327609cbf12d843259c968b9e5c1838f > -This file is a handle for the PID namespace of the process. > +This file is a handle for the PID namespace of the process. It's > +permanent during the whole process life. > +.TP > +.IR /proc/[pid]/ns/pid_for_children " (since Linux 4.12)" > +.\" commit FIXME > +This file is a handle for the PID namespace of a next born child > +of the process. It's changed after unshare(2) and via setns(2), > +so the file may differ from /proc/[pid]/ns/pid. > .TP > .IR /proc/[pid]/ns/user " (since Linux 3.8)" > .\" commit cde1975bc242f3e1072bde623ef378e547b73f91 > -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <CAGXu5jJYTrOB1A0V9V8NOtLUF_D52RwtqFUcfsCiC-Jm3Z5G2w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace [not found] ` <CAGXu5jJYTrOB1A0V9V8NOtLUF_D52RwtqFUcfsCiC-Jm3Z5G2w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2017-03-31 15:25 ` Kirill Tkhai 0 siblings, 0 replies; 8+ messages in thread From: Kirill Tkhai @ 2017-03-31 15:25 UTC (permalink / raw) To: Kees Cook, Michael Kerrisk Cc: Andrei Vagin, Andrew Morton, Andreas Gruenbacher, Linux API, LKML, Al Viro, Oleg Nesterov, Paul Moore, Eric W. Biederman, Andrew Vagin, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA, Andy Lutomirski, Ingo Molnar, Serge E. Hallyn On 31.03.2017 18:06, Kees Cook wrote: > On Fri, Mar 31, 2017 at 2:45 AM, Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: >> On 31.03.2017 04:04, Andrei Vagin wrote: >>> On Thu, Mar 30, 2017 at 03:05:20PM -0700, Andrew Morton wrote: >>>> On Thu, 30 Mar 2017 13:27:59 +0300 Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> wrote: >>>> >>>>> pid_ns_for_children set by a task is known only to the task itself, >>>>> and it's impossible to identify it from outside. >>>>> >>>>> It's a big problem for checkpoint/restore software like CRIU, >>>>> because it can't correctly handle tasks, that do setns(CLONE_NEWPID) >>>>> in proccess of their work. >>>>> >>>>> This patch solves the problem, and it exposes pid_ns_for_children >>>>> to ns directory in standard way with the name "pid_for_children": >>>>> >>>>> ~# ls /proc/5531/ns -l | grep pid >>>>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid -> pid:[4026531836] >>>>> lrwxrwxrwx 1 root root 0 Jan 14 16:38 pid_for_children -> pid:[4026532286] >>>>> >>>>> --- a/fs/proc/namespaces.c >>>>> +++ b/fs/proc/namespaces.c >>>>> @@ -23,6 +23,7 @@ static const struct proc_ns_operations *ns_entries[] = { >>>>> #endif >>>>> #ifdef CONFIG_PID_NS >>>>> &pidns_operations, >>>>> + &pidns_for_children_operations, >>>>> #endif >>>> >>>> This interface should be documented somewhere under Documentation/. >>>> But I can't immediately find where the /proc/pid/ns/ pseudo-files are >>>> documented... >>> >>> I know that they are documented in man7/namespaces.7 >>> >>> https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man7/namespaces.7#n187 >> >> I suggest the below patch, but it's too early for the man description till >> the feature is in mainline, because the man page requires commit id of the feature. >> >> [PATCH] namespaces.7: Document the /proc/[pid]/ns/pid_for_children file >> >> Signed-off-by: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> >> --- >> man7/namespaces.7 | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> diff --git a/man7/namespaces.7 b/man7/namespaces.7 >> index 6dfceaa2a..06041774f 100644 >> --- a/man7/namespaces.7 >> +++ b/man7/namespaces.7 >> @@ -125,6 +125,7 @@ lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839] >> lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840] >> lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969] >> lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836] >> +lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children -> pid:[4026531834] > > Minor nit: this needs to be "\-" for the "-" Thanks, Kees. The updated version is below: [PATCH] namespaces.7: Document the /proc/[pid]/ns/pid_for_children file Signed-off-by: Kirill Tkhai <ktkhai-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> --- man7/namespaces.7 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/man7/namespaces.7 b/man7/namespaces.7 index 6dfceaa2a..b4e9b13f0 100644 --- a/man7/namespaces.7 +++ b/man7/namespaces.7 @@ -125,6 +125,7 @@ lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 ipc \-> ipc:[4026531839] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 mnt \-> mnt:[4026531840] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 net \-> net:[4026531969] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid \-> pid:[4026531836] +lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 pid_for_children \-> pid:[4026531834] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 user \-> user:[4026531837] lrwxrwxrwx. 1 mtk mtk 0 Apr 28 12:46 uts \-> uts:[4026531838] .fi @@ -186,7 +187,14 @@ This file is a handle for the network namespace of the process. .TP .IR /proc/[pid]/ns/pid " (since Linux 3.8)" .\" commit 57e8391d327609cbf12d843259c968b9e5c1838f -This file is a handle for the PID namespace of the process. +This file is a handle for the PID namespace of the process. It's +permanent during the whole process life. +.TP +.IR /proc/[pid]/ns/pid_for_children " (since Linux 4.12)" +.\" commit FIXME +This file is a handle for the PID namespace of a next born child +of the process. It's changed after unshare(2) and via setns(2), +so the file may differ from /proc/[pid]/ns/pid. .TP .IR /proc/[pid]/ns/user " (since Linux 3.8)" .\" commit cde1975bc242f3e1072bde623ef378e547b73f91 ^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-03-31 15:25 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-03-30 10:27 [PATCH RESEND 0/2] Expose task pid_ns_for_children to userspace Kirill Tkhai 2017-03-30 10:27 ` [PATCH RESEND 1/2] ns: Allow ns_entries to have custom symlink content Kirill Tkhai [not found] ` <149086931397.4388.9604947335273204415.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 2017-03-30 10:27 ` [PATCH RESEND 2/2] pidns: Expose task pid_ns_for_children to userspace Kirill Tkhai [not found] ` <149086967937.4388.471494976517194744.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org> 2017-03-30 22:05 ` Andrew Morton 2017-03-31 1:04 ` Andrei Vagin [not found] ` <20170331010409.GA22895-1ViLX0X+lBJGNQ1M2rI3KwRV3xvJKrda@public.gmane.org> 2017-03-31 9:45 ` Kirill Tkhai [not found] ` <0825f166-6f20-59a9-45a9-5ffe9009150e-5HdwGun5lf+gSpxsJD1C4w@public.gmane.org> 2017-03-31 15:06 ` Kees Cook [not found] ` <CAGXu5jJYTrOB1A0V9V8NOtLUF_D52RwtqFUcfsCiC-Jm3Z5G2w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-03-31 15:25 ` Kirill Tkhai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).