[RFC] [PATCH 0/2] namespace enter through hijack

Serge E. Hallyn serue at us.ibm.com
Wed Aug 29 13:04:20 PDT 2007


This patchset implements namespace entering by forcing a task in
the target namespace to clone itself.  This has some advantages
over just replacing a random task's namespace pointers to the
target ones.  In particular

	1. If switching pid namespaces, the stack of upids is
	   automatically correctly generated.
	2. Security context is inherited from the target
	   task.  Assuming a security module which labels
	   data based on the task security context, like selinux,
	   this may prevent severe mislabeling of container data by
	   an inadvertant host system administrator action.
	   Whether that works or not will still depend on the
	   policy and the task cloned.

While this version takes a pid of a process to clone (for
convenience of prototyping) we may prefer to use a ns_container
name and choose one of it's tasks, to prevent pid wraparound.

Tested and 'works for me', but at the moment I'm just sending
this out for discussion.

Alternatives to this include bind_ns()+switch_ns() by Cedric
and the ns_container namespace entering enhancements I've
previously sent.

thanks,
-serge


More information about the Containers mailing list