From: Mike Waychison <mikew@google.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: jamie@shareable.org, linuxram@us.ibm.com,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
akpm@osdl.org, viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC][PATCH] rbind across namespaces
Date: Tue, 24 May 2005 10:44:39 -0700 [thread overview]
Message-ID: <42936807.2000807@google.com> (raw)
In-Reply-To: <E1DadFv-0004Te-00@dorka.pomaz.szeredi.hu>
Miklos Szeredi wrote:
>>>>In what sense? readlink of /proc/PID/fd/* will provide a pathname
>>>>relative to current's root: useless for any paths not in current's
>>>>namespace.
>>>
>>>
>>>Not readlink, but actual dereference of link will give you exactly the
>>>vfsmount/dentry the file was opened on. If you want to bind/move
>>>whatever on that mount, that's possible, even if it's a "detached
>>>tree".
>>
>>Removing proc_check_root essentially removes any protection that
>>namespaces provided in the first place.
>>
>>Think of it like virtual memory. You can fork off and create your own
>>COW instance, and no one can see what you are doing unless they ptrace
>>you or explicitly ask you. The mountfd model allows for explicit
>>handing off of vfsmounts between namespaces without allowing arbitrary
>>access.
>
>
> Note: I didn't say we should remove proc_check_root(). I said _if_
> you remove it, _then_ mounting on foreign namespace will work, which
> has actually been confirmed experimentally.
>
OK.
> So your follow_link argument doesn't hold. The proc code does the
> follow_link in some clever way, that the looked up object will end up
> with the same vfsmount/dentry pair as the file.
>
Yes. I hadn't realized that the only safe-guard in place was
proc_check_root. I had made the assumption that follow_link was using
vfs_follow_link with the readlink info.
>
>>Yet even this doesn't allow userspace to define it's own policy for
>>inter-namespace manipulation.
>
>
> OK. Let's keep the kernel policy simple: just allow a process to
> access it's _own_ file descriptors in proc. I.e. allow access to
> /proc/self/fd/* even if it comes from a foreign namespace.
>
> Then the policy (who passes whom the file descriptors) is entirely up
> to userspace (just as with your scheme).
>
> /proc/self/fd/FD doesn't give any extra rights to the process, it just
> makes mounting from/to detached mounts, and foreign namespaces
> possible without new interfaces.
So you'd say 'mount /dev/foo /proc/self/fd/4' if 4 was an fd pointing to
a directory in another namespace?
That does require proc_check_root be removed. :\
>
>
>>Beware that due to the detached-subtrees bit, the locking became a bit
>>ugly, requiring a global rw_lock for mntget/mntput. I still haven't
>>figured out a better way to keep per-vfsmounts counts and per-subtree
>>counts in sync.
>
>
> Did you measure the effect on performace? Maybe it isn't so bad.
As far as I could tell without doing high-smp benchmarks, it doesn't
slow anything down. In this case, we aren't on the fastest path anyway,
as we are usually
a) walking a path across a mountpoint, requiring the global
vfsmount_lock anyway.
b) closing a file, which isn't fast either.
You could micro-optimize the pivoting of from one vfsmount to another
during a walk to only grab the lock once, but there may be no profound
effect and any gains would be lost in the noise.
Mike Waychison
next prev parent reply other threads:[~2005-05-24 17:45 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-20 22:11 [RFC][PATCH] rbind across namespaces Ram
2005-05-21 6:27 ` Miklos Szeredi
2005-05-21 7:26 ` Ram
2005-05-21 8:09 ` Miklos Szeredi
2005-05-21 8:45 ` Ram
2005-05-21 9:09 ` Miklos Szeredi
2005-05-21 10:07 ` Ram
2005-05-21 13:12 ` Miklos Szeredi
2005-05-22 20:25 ` Ram
2005-05-22 20:51 ` Ram
2005-05-23 5:08 ` Miklos Szeredi
2005-05-23 7:24 ` Ram
2005-05-23 8:24 ` Miklos Szeredi
2005-05-21 9:48 ` Miklos Szeredi
2005-05-21 13:46 ` Jamie Lokier
2005-05-22 8:08 ` Miklos Szeredi
2005-05-22 17:04 ` [RFC][PATCH] /proc/dead_mounts support (Was: [RFC][PATCH] rbind across ...) Miklos Szeredi
2005-05-22 21:10 ` [RFC][PATCH] rbind across namespaces Ram
2005-05-23 5:07 ` Miklos Szeredi
2005-05-24 0:39 ` Mike Waychison
2005-05-24 5:43 ` Miklos Szeredi
2005-05-24 7:13 ` Mike Waychison
2005-05-24 8:25 ` Miklos Szeredi
2005-05-24 17:09 ` Mike Waychison
2005-05-24 17:31 ` Miklos Szeredi
2005-05-24 17:44 ` Mike Waychison [this message]
2005-05-24 17:56 ` Miklos Szeredi
2005-05-24 18:04 ` Mike Waychison
2005-05-30 19:06 ` Ram
2005-05-24 9:18 ` Miklos Szeredi
2005-05-24 17:15 ` Mike Waychison
2005-05-24 17:46 ` Miklos Szeredi
2005-05-24 18:15 ` Jamie Lokier
2005-05-24 18:33 ` Mike Waychison
2005-05-24 21:51 ` Jamie Lokier
2005-05-21 13:43 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42936807.2000807@google.com \
--to=mikew@google.com \
--cc=akpm@osdl.org \
--cc=jamie@shareable.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).