* Re: [GIT PULL 05/17 for v6.19] namespaces [not found] ` <20251128-kernel-namespaces-v619-28629f3fc911@brauner> @ 2025-12-01 19:06 ` Eric W. Biederman 2025-12-02 17:00 ` Linus Torvalds 0 siblings, 1 reply; 3+ messages in thread From: Eric W. Biederman @ 2025-12-01 19:06 UTC (permalink / raw) To: Christian Brauner Cc: Linus Torvalds, linux-fsdevel, linux-kernel, Linux Containers Christian Brauner <brauner@kernel.org> writes: > Hey Linus, > > /* Summary */ > This contains substantial namespace infrastructure changes including a new > system call, active reference counting, and extensive header cleanups. > The branch depends on the shared kbuild branch for -fms-extensions > support. I am missing something. From the description it looks like you are making nested containers impossible once this feature is adopted. Because the container will be able to see all of the other namespaces and thus to see outside of it's own namespace. The reason such as system call has not been introduced in the past is because it introduces the namespace of namespace problem. How have you solved the namespace of namespaces problem? If you want nesting of containers the listing of namespaces very much must be incomplete. I haven't looked at reviewed or looked at the code yet because the code was not posted in any of the usual places for container development, nor was I copied. Can you please describe how you are avoiding the namespace of namespaces problem? Eric ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [GIT PULL 05/17 for v6.19] namespaces 2025-12-01 19:06 ` [GIT PULL 05/17 for v6.19] namespaces Eric W. Biederman @ 2025-12-02 17:00 ` Linus Torvalds 2025-12-03 10:07 ` Christian Brauner 0 siblings, 1 reply; 3+ messages in thread From: Linus Torvalds @ 2025-12-02 17:00 UTC (permalink / raw) To: Eric W. Biederman Cc: Christian Brauner, linux-fsdevel, linux-kernel, Linux Containers On Mon, 1 Dec 2025 at 11:06, Eric W. Biederman <ebiederm@xmission.com> wrote: > > The reason such as system call has not been introduced in the past > is because it introduces the namespace of namespace problem. > > How have you solved the namespace of namespaces problem? So I think Christian would be better at answering this, but to a first approximation I think the explanation from commit 76b6f5dfb3fd ("nstree: add listns()") gives some high-level rules: listns() respects namespace isolation and capabilities: (1) Global listing (user_ns_id = 0): - Requires CAP_SYS_ADMIN in the namespace's owning user namespace - OR the namespace must be in the caller's namespace context (e.g., a namespace the caller is currently using) - User namespaces additionally allow listing if the caller has CAP_SYS_ADMIN in that user namespace itself (2) Owner-filtered listing (user_ns_id != 0): - Requires CAP_SYS_ADMIN in the specified owner user namespace - OR the namespace must be in the caller's namespace context - This allows unprivileged processes to enumerate namespaces they own (3) Visibility: - Only "active" namespaces are listed - A namespace is active if it has a non-zero __ns_ref_active count - This includes namespaces used by running processes, held by open file descriptors, or kept active by bind mounts - Inactive namespaces (kept alive only by internal kernel references) are not visible via listns() but it would be very nice if you were to take a closer look at the whole thing and make sure you're satisfied with it all.. Even just a "overview scan" would be lovely. Linus ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [GIT PULL 05/17 for v6.19] namespaces 2025-12-02 17:00 ` Linus Torvalds @ 2025-12-03 10:07 ` Christian Brauner 0 siblings, 0 replies; 3+ messages in thread From: Christian Brauner @ 2025-12-03 10:07 UTC (permalink / raw) To: Linus Torvalds Cc: Eric W. Biederman, linux-fsdevel, linux-kernel, Linux Containers On Tue, Dec 02, 2025 at 09:00:57AM -0800, Linus Torvalds wrote: > On Mon, 1 Dec 2025 at 11:06, Eric W. Biederman <ebiederm@xmission.com> wrote: > > > > The reason such as system call has not been introduced in the past > > is because it introduces the namespace of namespace problem. > > > > How have you solved the namespace of namespaces problem? > > So I think Christian would be better at answering this, but to a first > approximation I think the explanation from commit 76b6f5dfb3fd > ("nstree: add listns()") gives some high-level rules: After last year's round I've caught another lung infection so I'm a bit incapacitated and not working. Visibility is currently based on the user namespace. It's possible to list all namespaces that are owned by a given user namespaces. So a caller in an unprivileged container is only able to list namespaces that they directly own or namespaces owned by descendant namespaces. That's tracked in the namespace tree. The self-tests verify this as well. So it is not possible to break out of that hierarchy. As this is expressily an introspection system call it allows to list sibling namespaces owned by the same user namespace ofc as its tailored for container managers. This will be used in high-privileged container managers and in systemd for service supervision so if there's any concerns that the current standard access regulation and seccomp() isn't enough I'm more than happy to require global CAP_SYS_ADMIN. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-03 10:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20251128-vfs-v619-77cd88166806@brauner>
[not found] ` <20251128-kernel-namespaces-v619-28629f3fc911@brauner>
2025-12-01 19:06 ` [GIT PULL 05/17 for v6.19] namespaces Eric W. Biederman
2025-12-02 17:00 ` Linus Torvalds
2025-12-03 10:07 ` Christian Brauner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox