• Eric W. Biederman's avatar
    Merge branch 'nsfs-ioctls' into HEAD · 78725596
    Eric W. Biederman authored
    From: Andrey Vagin <avagin@openvz.org>
    
    Each namespace has an owning user namespace and now there is not way
    to discover these relationships.
    
    Pid and user namepaces are hierarchical. There is no way to discover
    parent-child relationships too.
    
    Why we may want to know relationships between namespaces?
    
    One use would be visualization, in order to understand the running
    system.  Another would be to answer the question: what capability does
    process X have to perform operations on a resource governed by namespace
    Y?
    
    One more use-case (which usually called abnormal) is checkpoint/restart.
    In CRIU we are going to dump and restore nested namespaces.
    
    There [1] was a discussion about which interface to choose to determing
    relationships between namespaces.
    
    Eric suggested to add two ioctl-s [2]:
    > Grumble, Grumble.  I think this may actually a case for creating ioctls
    > for these two cases.  Now that random nsfs file descriptors are bind
    > mountable the original reason for using proc files is not as pressing.
    >
    > One ioctl for the user namespace that owns a file descriptor.
    > One ioctl for the parent namespace of a namespace file descriptor.
    
    Here is an implementaions of these ioctl-s.
    
    $ man man7/namespaces.7
    ...
    Since  Linux  4.X,  the  following  ioctl(2)  calls are supported for
    namespace file descriptors.  The correct syntax is:
    
          fd = ioctl(ns_fd, ioctl_type);
    
    where ioctl_type is one of the following:
    
    NS_GET_USERNS
          Returns a file descriptor that refers to an owning user names‐
          pace.
    
    NS_GET_PARENT
          Returns  a  file descriptor that refers to a parent namespace.
          This ioctl(2) can be used for pid  and  user  namespaces.  For
          user namespaces, NS_GET_PARENT and NS_GET_USERNS have the same
          meaning.
    
    In addition to generic ioctl(2) errors, the following  specific  ones
    can occur:
    
    EINVAL NS_GET_PARENT was called for a nonhierarchical namespace.
    
    EPERM  The  requested  namespace  is outside of the current namespace
          scope.
    
    [1] https://lkml.org/lkml/2016/7/6/158
    [2] https://lkml.org/lkml/2016/7/9/101
    
    Changes for v2:
    * don't return ENOENT for init_user_ns and init_pid_ns. There is nothing
      outside of the init namespace, so we can return EPERM in this case too.
      > The fewer special cases the easier the code is to get
      > correct, and the easier it is to read. // Eric
    
    Changes for v3:
    * rename ns->get_owner() to ns->owner(). get_* usually means that it
      grabs a reference.
    
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
    Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
    Cc: "W. Trevor King" <wking@tremily.us>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    78725596
pid_namespace.c 11 KB