[PATCH 0/4] user namespaces: introduction
Serge E. Hallyn
serue at us.ibm.com
Mon Jan 28 11:44:50 PST 2008
Quoting Daniel Hokka Zakrisson (daniel at hozac.com):
> Serge E. Hallyn wrote:
> > Here is a small patchset I've been sitting on for awhile
> > to make signaling mostly subject to user namespaces. In
> > particular,
> > 1. store user_namespace in user struct
> > 2. introduce CAP_NS_OVERRIDE
> > 3. require CAP_NS_OVERRIDE to signal another user namespace
> > The first step should have been done all along. Else wouldn't
> > a hash collision on (ns1, uid) and (ns2, uid), however unlikely,
> > give us wrong results at uid_hash_find()?
> Unless I've completely misunderstood the code, each namespace has a
> separate hash. Please correct me if I'm wrong.
So it does!
Yikes, how did I misread that so badly?
That means the find_user() code may be simplified a bit after all.
Well, or we could keep this and go to a single hash to save some
> > The main remaining signaling+userns issue is of course the
> > siginfo. Tacking a userns onto siginfo is a pain due to
> > lifetime mgmt issues. I haven't decided whether to just
> > catch all the callers and fake uid=0 if user namespaces
> > aren't the same, introduce some unique non-refcounted id to
> > represent (user,user_ns), or find some other way to deal with
> > it.
> > thanks,
> > -serge
> Daniel Hokka Zakrisson
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Containers