From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751338AbcGMD7r (ORCPT <rfc822;w@1wt.eu>);
	Tue, 12 Jul 2016 23:59:47 -0400
Received: from resqmta-ch2-06v.sys.comcast.net ([69.252.207.38]:48612 "EHLO
	resqmta-ch2-06v.sys.comcast.net" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750941AbcGMD7k (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 12 Jul 2016 23:59:40 -0400
Date: Tue, 12 Jul 2016 20:59:26 -0700
From: "W. Trevor King" <wking@tremily.us>
To: Andrew Vagin <avagin@virtuozzo.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        James Bottomley <James.Bottomley@HansenPartnership.com>,
        "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
        Linux API <linux-api@vger.kernel.org>,
        Containers <containers@lists.linux-foundation.org>,
        lkml <linux-kernel@vger.kernel.org>, criu@openvz.org
Subject: Re: [CRIU] Introspecting userns relationships to other namespaces?
Message-ID: <20160713035926.GJ4916@odin.tremily.us>
References: <1467988533.2322.118.camel@HansenPartnership.com>
 <20160708203818.GA2602@outlook.office365.com>
 <5e4cc802-f0e0-4f4c-a2f7-585aaaa8feec@email.android.com>
 <87wpkvpu1i.fsf@x220.int.ebiederm.org>
 <1468023332.2390.10.camel@HansenPartnership.com>
 <87bn27o6j5.fsf@x220.int.ebiederm.org>
 <20160709072627.GA7480@outlook.office365.com>
 <87eg72llu0.fsf@x220.int.ebiederm.org>
 <871t32ll6n.fsf@x220.int.ebiederm.org>
 <20160713000842.GC5818@outlook.office365.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="s1QkCFPfJT0XII2l"
Content-Disposition: inline
In-Reply-To: <20160713000842.GC5818@outlook.office365.com>
OpenPGP: id=39A2F3FA2AB17E5D8764F388FC29BDCDF15F5BE8;
 url=http://tremily.us/pubkey.txt
User-Agent: Mutt/1.5.23 (2014-03-12)
X-CMAE-Envelope: MS4wfPCuWgeCs45dXBfIyld6F8Ls7ssKapRR3rwq8Bpk1uKnYg2uKe2qUyGfmG1j8V4X0h0uQAcLaqISKgXpMDmITe8f9xe0L9c80vtbCFjdKefCyayYweSy
 w3W0qPqGF00jR7sx1zRI/G6Y72WxHAis9MaUM4BEfRmIPFpPVlj/RUFWrEv2a3hNZLqzWlRAEyVUA2lYih1B6XVUV8elCWIKjgNcl6e0GVZ+H0p69D3Ex2zQ
 U8vs8eEkQ2NmsBgIsgqhWbEkZYCWK8wt+yjPpaYyJpj7oZvpOtUCNBmRG+1i88Wsu+da1+5GO8Cuuo4I0BTppknxhPD8pAUkMQBGic1dhZA1NkL9o8PjGzCB
 om1ir0dUUT7TFmUwmDGPfgRuNtGHYbSoeBvjlE/DwYXRU5sX0I5ewOOEDybuiKyLnBPi3dGf+T1S4p7iAsjcKjOcDL+erGXmYtE2qzQf3DAjfnMArYQ=
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--s1QkCFPfJT0XII2l
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 12, 2016 at 05:08:43PM -0700, Andrew Vagin wrote:
> Here is a patch to get an owning user namespace:
> https://github.com/avagin/linux-task-diag/commit/7fad8ff3fc4110bebf0920ce=
c2388390b3bd2238
> https://github.com/avagin/linux-task-diag/commit/2663bc803d324785e328261f=
3c07a0fef37d2088
>
> Here is an example how it looks from user-space:
> https://github.com/avagin/linux-task-diag/blob/namespaces/tools/testing/s=
elftests/nsfs/owner.c#L49

Overall this looks good to me (I left a handful of uninformed comments
inline ;).

It doesn't make it easy to walk leafward, but it doesn't look like the
kernel has a convenient way to list child namespaces either.
Something like /proc/<pid>/task/<tid>/children (with
CONFIG_PROC_CHILDREN) for namespaces would make it easier to get a
complete system overview (as far as your credentials and position in
the namespace hierarchies allow).  But looking at the
CONFIG_PROC_CHILDREN implementation doesn't make me all that excited
about mimicking it for namespaces ;).

You can still brute-force it in userspace by walking the root-most
procfs's you can find and peeking at all the /proc/<pid>/ns/=E2=80=A6 entri=
es
(but yuck ;).  With mount and other namespaces not being hierarchical,
the =E2=80=9Cleafword=E2=80=9D idea may not be all that useful anyway, but =
having a
more compact collection of mount namepaces (say) that you know about
would be nice.  Where =E2=80=9Cknow about=E2=80=9D should probably means =
=E2=80=9Cknow it
exists=E2=80=9D but not necessarily =E2=80=9Chave permission to enter=E2=80=
=9D.  Still,
getting that figured out can happen independently to this parent/owner
work.

Cheers,
Trevor

--=20
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

--s1QkCFPfJT0XII2l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJXhbycAAoJEBBpoQVgXJg17l0QAKOHpMN/wh/oZl4c61p6wWbS
od1Ig3826aB1n6hWcQXlaSCJ50ZwC/dYf2T5CYCu9MYgMY3z+tNksbvW8MsjUvGs
RNY4NhIWNSJTng3f8c05lK9hRjQOodyBnvxiCkIfKT3zlksm3tdRKfKedZQ03+o+
h7Jn1BKM66hoRX3FHAnZjfJ5TvAozDNMsaigpZz68WypOPXgMb5M71aOkvuT+xD8
z9TDnFCW1I7znhWjijrN6pJd3o7nA/3Ae1aGRFSkm3fMLg+w0oQMen6HpesbRkV2
mvmH1RaUB4StEziwJdQV0U5QDOFA/VpBFPMBJZmfSQjLx1SyQnvJFsAp1QkH/TGl
T51iIKkGvHyjd1JTu69RHO8uO9ZQziKfFXOItTQctH+ichU3pZrkkNiT7j9r8eCJ
E7jk7Sd9XU6QFcEVmq2bKQTh0PstJolKJPWeBRxL2HHNxumNYNx2W+fyAY6VFvPb
rrWFuUKqnfi3WTRrQHDyH+201lPCtI8+ZrxQs6ESs3Whae48zXoyIqTBC41LYtJ1
ZMwUe9UOpWOL3VXhCotXaDush4sNuHsbwixsbzgcmTPYQxwN+OTAeGXGaq48g7y1
Vk/VWOgrgVEI5+WFkYGhbpxhez8JukdCt1TtBmZlCep6XNyytmTBWBclaECGRla2
CeMajiMGFxU9m5t8IafG
=qN6L
-----END PGP SIGNATURE-----

--s1QkCFPfJT0XII2l--