Re: [PATCH v4] pidns: introduce syscall translate_pid

[Andrew Morton]

On Sat, 14 Oct 2017 11:17:47 +0300 Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx> wrote:

> >>> pid_t translate_pid(pid_t pid, int source, int target);
> >>>
> >>> This syscall converts pid from source pid-ns into pid in target pid-ns.
> >>> If pid is unreachable from target pid-ns it returns zero.
> >>>
> >>> Pid-namespaces are referred file descriptors opened to proc files
> >>> /proc/[pid]/ns/pid or /proc/[pid]/ns/pid_for_children. Negative argument
> >>> refers to current pid namespace, same as file /proc/self/ns/pid.
> >>>
> >>> Kernel expose virtual pids in /proc/[pid]/status:NSpid, but backward
> >>> translation requires scanning all tasks. Also pids could be translated
> >>> by sending them through unix socket between namespaces, this method is
> >>> slow and insecure because other side is exposed inside pid namespace.
> 
> Andrew asked why we might need this.
> 
> Such conversion is required for interaction between processes across pid-namespaces.
> For example to identify process in container by pid file looking from outside.
> 
> Two years ago I've solved this in project of mine with monstrous code which
> forks couple times just to convert pid, lucky for me performance wasn't important.

That's a single user who needed this a single time, and found a
userspace-based solution anyway.  This is not exactly compelling!

Is there a stronger case to be made?  How does this change benefit our
users?  Sell it to us!