On 16/04/29, Deepika Sundar wrote:
Thank you
From init pid namespace How we can access the child pid-namespace PID's?
There are a number of helper functions and macros referenced in
include/linux/sched.h starting with task_pid() and following and in
kernel/pid.c and include/linux/pid.h. Some are with respect to initial
namespaces, some with respect to the current namespace and others work
with a namespace pointer.
On 29-Apr-2016 7:33 pm, "Richard Guy Briggs"
<rgb(a)redhat.com> wrote:
> On 16/04/29, Deepika Sundar wrote:
> > Thank You for the valuable Response RGB.
> >
> > As you mentioned in the above statement is what I was looking for, "There
> > is a mapping from the PID in the initial PID namespace to its PID in a
> > child PID namespace".
> > As per your context, Is it initial PID namespace is the one which is get
> > created in the "HOST"?
>
> If I understand your question, the first namespace of any type that is
> created is the initial namespace. This set of 6 different namespace
> types are the default that are created on a newly booted kernel.
>
> > Please provide me details about how to enter into INIT-PID namespace to
> get
> > the mappings of child PID Namespace.
>
> Generally, the init process (yes, the term "init" is a bit overloaded
> here...) with PID 1 in the initial PID namespace is the starting point
> for creating all other processes. (Some distributions have switched over
> from using "init" to using "systemd" in this role.) If you are
already
> that process or you are a process that is a child of that process and
> still in all the initial namespaces, you are already there. If you are
> a process that is in a child PID namespace, you can't see any parent or
> peer namespaces. This is intentional.
>
> > -DEEPIKA
> >
> > On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb(a)redhat.com>
> wrote:
> >
> > > On 16/04/28, Deepika Sundar wrote:
> > > > Thank you for the replies.
> > > >
> > > > As per My understanding Root as Admin it has the control over all
the
> > > > namespaces.If this is correct,
> > >
> > > As per my previous email, not necessarily.
> > >
> > > > (i) Is that root should have access to all namespace relate info,
> > > > for ex: PID's in the host is mapped to what PID's in the
> Namespace?
> > >
> > > The initial PID namespace knows about all the PIDs on the machine since
> > > the PID namespaces are hierarchical. There is a mapping from the PID
> in
> > > the initial PID namespace to its PID in a child PID namespace. A child
> > > PID namespace should never be able to find out what its PID is in a
> > > parent PID namespace.
> > >
> > > > if not ,
> > > >
> > > > (ii) Init should have only access to his own process and should not
> have
> > > > access to other namespace.
> > >
> > > See above.
> > >
> > > > Is this design limitation (or) Is it designed for better security ?
> > >
> > > Both.
> > >
> > > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> > > sundar.deepika18(a)gmail.com> wrote:
> > > > > As per rule root(admin) is the one who is monitoring the
system's
> > > > > information .so,there must exist some namespace information in
proc
> > > field
> > > > > for the namespace related PID in global.Is this the way I'm
> > > approaching to
> > > > > the namespace related stuffs is correct?
> > > > >
> > > > > -Deepika
> > > > >
> > > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > > > sundar.deepika18(a)gmail.com> wrote:
> > > > >
> > > > >> Yeah.
> > > > >> When the PID's which are in the namespace application
has
> different
> > > PID
> > > > >> compared to Global PID.There would be some means to map
the
> PID's in
> > > the
> > > > >> kernel level.Can anyone suggest How it can be mapped?
> > > > >>
> > > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb
<sgrubb(a)redhat.com>
> > > wrote:
> > > > >>
> > > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar
wrote:
> > > > >>> > Is there any way that can be suggested as to map
PID's of
> > > namespace in
> > > > >>> > global?
> > > > >>>
> > > > >>> This is on the TODO list. We have been kicking around
several
> ideas
> > > but
> > > > >>> have
> > > > >>> not come to a conclusion about what exactly needs to be
done. The
> > > upshot
> > > > >>> of
> > > > >>> this is that basically containers have no support.
> > > > >>>
> > > > >>> -Steve
> > > > >>>
> > > > >>>
> > > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <
> paul(a)paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > Please ask your question on the mailing list
so that
> everyone can
> > > > >>> benefit.
> > > > >>> > >
> > > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika
Sundar
> > > > >>> > >
> > > > >>> > > <sundar.deepika18(a)gmail.com> wrote:
> > > > >>> > > > How it can be achieved ,Can I get any
idea on this?
> > > > >>> > > >
> > > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul
Moore <
> > > paul(a)paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM,
sowndarya kumar
> > > > >>> > > >>
> > > > >>> > > >> <sowndarya.nadar(a)gmail.com>
wrote:
> > > > >>> > > >> > Hi
> > > > >>> > > >> >
> > > > >>> > > >> > Is there any way to map the
PID's seen in the namespace
> > > > >>> application
> > > > >>> > >
> > > > >>> > > with
> > > > >>> > >
> > > > >>> > > >> > the
> > > > >>> > > >> > PID's seen in global?
> > > > >>> > > >> > If it can be done please provide
the documentation or
> idea
> > > on
> > > > >>> how it
> > > > >>> > >
> > > > >>> > > can
> > > > >>> > >
> > > > >>> > > >> > be
> > > > >>> > > >> > done.
> > > > >>> > > >>
> > > > >>> > > >> In general the audit subsystem
doesn't pay attention to
> > > > >>> namespaces,
> > > > >>> > > >> all PIDs reported to userspace are
reported with respect
> to
> > > the
> > > > >>> init
> > > > >>> > > >> namespace.
> > > > >>> > > >>
> > > > >>> > > >> paul moore
> > > > >>> > >
> > > > >>> > > paul moore
> > >
> > > - RGB
>
> - RGB
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635