Re: Discuss the implementation of pidns_install()

From: Kees Cook
Date: Mon Oct 09 2023 - 16:08:12 EST

Next message: Arnd Bergmann: "Re: [PATCH] Bluetooth: mark bacmp() and bacpy() as __always_inline"
Previous message: Rob Herring: "Re: [PATCH] pwm: Use device_get_match_data()"
Next in thread: yunhui cui: "Re: [External] Re: Discuss the implementation of pidns_install()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 20, 2023 at 05:37:20PM +0800, yunhui cui wrote:
> Hi Kees, jeff, Andrew, Christian,
>
> We hope that containers at the same level can also switch pid namespace.
> To fork() the entire pstree of a container, we need to switch from the pid
> namespace of the template container to the target container's pid
> namespace. But it is blocked by the following code:
>
> ...
> while (ancestor->level > active->level)
> ancestor = ancestor->parent;
> if (ancestor != active)
> return -EINVAL;
> ...
>
> Can we give this code permission, such as CAP_SYS_ADMIN ..., so that those
> with this permission can switch to sibling pid namespace. Rather than just
> parent, parent ...
>
> Do you think this plan is okay? Or can you give me some suggestions?

I'll defer to Christian on this, but it seems like moving processes
sideways is kind of unexpected. I agree it'd need privilege if we did
it, though.

--
Kees Cook

Next message: Arnd Bergmann: "Re: [PATCH] Bluetooth: mark bacmp() and bacpy() as __always_inline"
Previous message: Rob Herring: "Re: [PATCH] pwm: Use device_get_match_data()"
Next in thread: yunhui cui: "Re: [External] Re: Discuss the implementation of pidns_install()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]