* Re: [PATCH v3 1/2] man/man7/pid_namespaces.7: Fix requirements on namespace+process trees [not found] ` <20260513083339.27911-1-matthieu@buffet.re> @ 2026-05-13 11:40 ` Alejandro Colomar [not found] ` <20260513083339.27911-2-matthieu@buffet.re> 1 sibling, 0 replies; 2+ messages in thread From: Alejandro Colomar @ 2026-05-13 11:40 UTC (permalink / raw) To: Matthieu Buffet; +Cc: linux-man [-- Attachment #1: Type: text/plain, Size: 1700 bytes --] Hi Matthieu, [CC += linux-man@] (You forgot to CC the list.) On 2026-05-13T10:33:38+0200, Matthieu Buffet wrote: > Creating processes in non-direct-child PID namespaces has been possible > since the addition of setns() support for PID namespaces in commit > 57e8391d3276 (2012-11-19; "pidns: Add setns support"). The tree check in > pidns_install() in kernel/pid_namespace.c has always allowed > non-direct-child PID namespaces, but was written inline instead of the > more readable current pidns_is_ancestor() helper (possibly explaining > the confusion). > > Fixes: 6e377abf9 (2014-09-13; "pid_namespaces.7: Parent process relationships mirror parent PID namespace relationships") > Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Thanks! I've applied the patch. Cheers, Alex > --- > man/man7/pid_namespaces.7 | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/man/man7/pid_namespaces.7 b/man/man7/pid_namespaces.7 > index 1068d5be5..b19afd505 100644 > --- a/man/man7/pid_namespaces.7 > +++ b/man/man7/pid_namespaces.7 > @@ -214,11 +214,12 @@ and cannot be changed thereafter. > Among other things, > this means that > the parental relationship between processes > -mirrors > +loosely mirrors > the parental relationship between PID namespaces: > the parent of a process > is either in the same namespace > -or resides in the immediate parent PID namespace. > +or resides in an ancestor PID namespace > +(immediate parent or not). > .P > A process may call > .BR unshare (2) > > base-commit: 9afc5a7cfa9ecd91db055abb875e3b83d086f6b5 > -- > 2.47.3 > -- <https://www.alejandro-colomar.es> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
[parent not found: <20260513083339.27911-2-matthieu@buffet.re>]
* Re: [PATCH v3 2/2] man/man7/pid_namespaces.7: Add setns restriction and reasoning [not found] ` <20260513083339.27911-2-matthieu@buffet.re> @ 2026-05-13 11:41 ` Alejandro Colomar 0 siblings, 0 replies; 2+ messages in thread From: Alejandro Colomar @ 2026-05-13 11:41 UTC (permalink / raw) To: Matthieu Buffet; +Cc: linux-man [-- Attachment #1: Type: text/plain, Size: 2145 bytes --] [CC += linux-man@] Hi Matthieu, (You forgot to CC the list.) On 2026-05-13T10:33:39+0200, Matthieu Buffet wrote: > The logical implication between PID namespaces being readonly after > process creation and process trees needing to loosely mirror PID > namespaces is not trivial to follow. Part of that implication is > implicit: since PID namespace membership is readonly, one has to use > fork() or one of its variants to "change" PID namespace, and these APIs > need to return a valid child PID in the parent namespace. The > consequence could also be made more explicit (setns() will fail on > non-descendant PID namespaces) while explaining how this is implemented. > > Signed-off-by: Matthieu Buffet <matthieu@buffet.re> I've applied the patch. Thanks! Cheers, Alex > --- > man/man7/pid_namespaces.7 | 17 +++++++++++++++-- > 1 file changed, 15 insertions(+), 2 deletions(-) > > diff --git a/man/man7/pid_namespaces.7 b/man/man7/pid_namespaces.7 > index b19afd505..c4a4a2723 100644 > --- a/man/man7/pid_namespaces.7 > +++ b/man/man7/pid_namespaces.7 > @@ -211,8 +211,12 @@ which would break many applications and libraries. > To put things another way: > a process's PID namespace membership is determined when the process is created > and cannot be changed thereafter. > -Among other things, > -this means that > +.P > +Because of this, > +and because system calls to create a process > +in another namespace > +need to return a meaningful new PID > +in the namespace of their caller, > the parental relationship between processes > loosely mirrors > the parental relationship between PID namespaces: > @@ -220,6 +224,15 @@ the parent of a process > is either in the same namespace > or resides in an ancestor PID namespace > (immediate parent or not). > +This is enforced by the design of > +.BR clone (2) > +and > +.BR unshare (2), > +while > +.BR setns (2) > +is restricted to only accept > +the current PID namespace > +and its descendants. > .P > A process may call > .BR unshare (2) > -- > 2.47.3 > -- <https://www.alejandro-colomar.es> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-13 11:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <75614ec3-0def-4cdd-b45c-17d21cf8357b@buffet.re>
[not found] ` <20260513083339.27911-1-matthieu@buffet.re>
2026-05-13 11:40 ` [PATCH v3 1/2] man/man7/pid_namespaces.7: Fix requirements on namespace+process trees Alejandro Colomar
[not found] ` <20260513083339.27911-2-matthieu@buffet.re>
2026-05-13 11:41 ` [PATCH v3 2/2] man/man7/pid_namespaces.7: Add setns restriction and reasoning Alejandro Colomar
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.