Received: by 10.213.65.68 with SMTP id h4csp1246151imn; Wed, 4 Apr 2018 15:33:12 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+S9sUOurTOU1Pd8m1Cg3Xk/dWG11sCHmEWfC15BA2fy0PETceONoN6ZLfB/Gq+CMIfqL+y X-Received: by 2002:a17:902:b08a:: with SMTP id p10-v6mr20473664plr.60.1522881192613; Wed, 04 Apr 2018 15:33:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522881192; cv=none; d=google.com; s=arc-20160816; b=Jfle0MATTjr/Z4TXXaJ992DO0fTffKOZsiF+3dyq225ttXJuEXO86xUpezdCtHC8RM GpTW364sSRgi7YnEawHATSczdSM9pjENPjuiTLMboHkioSkbm2Fy24YJbx4aDY6ELO7D iFdcnrGL1uvDOaOWkqr9u9h5m46K3jjnjwYPgXqLK1O4bBQI3wlNb5w/P7KpIGyXlUrl 14nhj6t/HWTH1ppu9r13tWy+GTOquZtwpahNQgkYu9z61TpoSX1SvMFnqevvEPmOjS+9 /r99dskXPJ9V8VEODtDFL7dt6F1FPYbeCXqONY2qm6e6TB4Bc0kxzey8sm3Fc5pUQlFs O8ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=k01yjcTCrNbwFpOnZglDKzUhRo/w1GaQvtXxsovPIe8=; b=Y75Rzq/uCAz4AQNtNJjDNh8ObKntgsWu0QWfen8JW3EZGb9IVFAFQglDBIndeLnKvF k53dTQWdwNuknpABc2DjxR4OuPwNDsnwRV+DWhc9V/7jyT3vXP8leetVHbtP+YQvdMi6 ATC2ThrJO5pSVgAoGb1XF413BKmSFgOIBUVR7xcb3zlarwzsSIMWyh5FLl+DBXHSlwdP x004tjDnZhg2UCJAdgsLvxPqStwnvqiR+sY6Du88bYduD/+dScYOm5ju+dxhAhdCpvMM 5HZ0dqDTbZZvUqIz76sIBj98u1PltgHI4s2kMZvyPwsC+u5ACESSfeFtanDRp9rfdpXZ zICQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u1-v6si4811699plj.409.2018.04.04.15.32.58; Wed, 04 Apr 2018 15:33:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752506AbeDDWao (ORCPT + 99 others); Wed, 4 Apr 2018 18:30:44 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:57675 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751956AbeDDWam (ORCPT ); Wed, 4 Apr 2018 18:30:42 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1f3qvQ-00085p-Ky; Wed, 04 Apr 2018 16:30:40 -0600 Received: from 67-3-145-25.omah.qwest.net ([67.3.145.25] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1f3qvO-0001ak-Rq; Wed, 04 Apr 2018 16:30:40 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Nagarathnam Muthusamy Cc: Konstantin Khlebnikov , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, Jann Horn , Serge Hallyn , Oleg Nesterov , Andy Lutomirski , Prakash Sangappa , Andrew Morton References: <152286911105.615669.14053871624892399807.stgit@buzz> Date: Wed, 04 Apr 2018 17:29:30 -0500 In-Reply-To: (Nagarathnam Muthusamy's message of "Wed, 4 Apr 2018 13:31:32 -0700") Message-ID: <87h8oqhagl.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1f3qvO-0001ak-Rq;;;mid=<87h8oqhagl.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.145.25;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19bOK6W7HUKVE0ybE/oB48tGTZ6E/GLy3I= X-SA-Exim-Connect-IP: 67.3.145.25 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Nagarathnam Muthusamy X-Spam-Relay-Country: X-Spam-Timing: total 1247 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.6 (0.2%), b_tie_ro: 1.76 (0.1%), parse: 0.73 (0.1%), extract_message_metadata: 13 (1.0%), get_uri_detail_list: 1.52 (0.1%), tests_pri_-1000: 6 (0.5%), tests_pri_-950: 1.15 (0.1%), tests_pri_-900: 0.97 (0.1%), tests_pri_-400: 23 (1.9%), check_bayes: 22 (1.8%), b_tokenize: 6 (0.5%), b_tok_get_all: 8 (0.6%), b_comp_prob: 2.4 (0.2%), b_tok_touch_all: 3.2 (0.3%), b_finish: 0.60 (0.0%), tests_pri_0: 1191 (95.5%), check_dkim_signature: 0.74 (0.1%), check_dkim_adsp: 3.3 (0.3%), tests_pri_500: 6 (0.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH RFC v5] pidns: introduce syscall translate_pid X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nagarathnam Muthusamy writes: > On 04/04/2018 12:11 PM, Konstantin Khlebnikov wrote: >> Each process have different pids, one for each pid namespace it belongs. >> When interaction happens within single pid-ns translation isn't required. >> More complicated scenarios needs special handling. >> >> For example: >> - reading pid-files or logs written inside container with pid namespace >> - attaching with ptrace to tasks from different pid namespace >> - passing pids across pid namespaces in any kind of API >> >> Currently there are several interfaces that could be used here: >> >> Pid namespaces are identified by inode number of /proc/[pid]/ns/pid. Using the inode number in interfaces is not an option. Especially not withou referencing the device number for the filesystem as well. >> Pids for nested Pid namespaces are shown in file /proc/[pid]/status. >> In some cases conversion pid -> vpid could be easily done using this >> information, but backward translation requires scanning all tasks. >> >> Unix socket automatically translates pid attached to SCM_CREDENTIALS. >> This requires CAP_SYS_ADMIN for sending arbitrary pids and entering >> into pid namespace, this expose process and could be insecure. >> >> This patch adds new syscall for converting pids between pid namespaces: >> >> pid_t translate_pid(pid_t pid, int source_type, int source, >> int target_type, int target); >> >> @source_type and @target_type defines type of following arguments: >> >> TRANSLATE_PID_CURRENT_PIDNS - current pid namespace, argument is unused >> TRANSLATE_PID_TASK_PIDNS - task pid-ns, argument is task pid > > I believe using pid to represent the namespace has been already > discussed in V1 of this patch in https://lkml.org/lkml/2015/9/22/1087 > after which we moved on to fd based version of this interface. Or in short why is the case of pids important? You Konstantin you almost said why they were important in your message saying you were going to send this one. However you don't explain in your description why you want to identify pid namespaces by pid. Eric