Re: PID's Mapping

From init pid namespace How we can access the child pid-namespace PID's?

On 16/04/29, Deepika Sundar wrote: > Thank You for the valuable Response RGB. > > As you mentioned in the above statement is what I was looking for, "There > is a mapping from the PID in the initial PID namespace to its PID in a > child PID namespace". > As per your context, Is it initial PID namespace is the one which is get > created in the "HOST"? If I understand your question, the first namespace of any type that is created is the initial namespace. This set of 6 different namespace types are the default that are created on a newly booted kernel. > Please provide me details about how to enter into INIT-PID namespace to get > the mappings of child PID Namespace. Generally, the init process (yes, the term "init" is a bit overloaded here...) with PID 1 in the initial PID namespace is the starting point for creating all other processes. (Some distributions have switched over from using "init" to using "systemd" in this role.) If you are already that process or you are a process that is a child of that process and still in all the initial namespaces, you are already there. If you are a process that is in a child PID namespace, you can't see any parent or peer namespaces. This is intentional. > -DEEPIKA > > On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > > On 16/04/28, Deepika Sundar wrote: > > > Thank you for the replies. > > > > > > As per My understanding Root as Admin it has the control over all the > > > namespaces.If this is correct, > > > > As per my previous email, not necessarily. > > > > > (i) Is that root should have access to all namespace relate info, > > > for ex: PID's in the host is mapped to what PID's in the Namespace? > > > > The initial PID namespace knows about all the PIDs on the machine since > > the PID namespaces are hierarchical. There is a mapping from the PID in > > the initial PID namespace to its PID in a child PID namespace. A child > > PID namespace should never be able to find out what its PID is in a > > parent PID namespace. > > > > > if not , > > > > > > (ii) Init should have only access to his own process and should not have > > > access to other namespace. > > > > See above. > > > > > Is this design limitation (or) Is it designed for better security ? > > > > Both. > > > > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar < > > sundar.deepika18(a)gmail.com&gt; wrote: > > > > As per rule root(admin) is the one who is monitoring the system's > > > > information .so,there must exist some namespace information in proc > > field > > > > for the namespace related PID in global.Is this the way I'm > > approaching to > > > > the namespace related stuffs is correct? > > > > > > > > -Deepika > > > > > > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar < > > > > sundar.deepika18(a)gmail.com&gt; wrote: > > > > > > > >> Yeah. > > > >> When the PID's which are in the namespace application has different > > PID > > > >> compared to Global PID.There would be some means to map the PID's in > > the > > > >> kernel level.Can anyone suggest How it can be mapped? > > > >> > > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb(a)redhat.com&gt; > > wrote: > > > >> > > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote: > > > >>> > Is there any way that can be suggested as to map PID's of > > namespace in > > > >>> > global? > > > >>> > > > >>> This is on the TODO list. We have been kicking around several ideas > > but > > > >>> have > > > >>> not come to a conclusion about what exactly needs to be done. The > > upshot > > > >>> of > > > >>> this is that basically containers have no support. > > > >>> > > > >>> -Steve > > > >>> > > > >>> > > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore < paul(a)paul-moore.com&gt; > > > >>> wrote: > > > >>> > > Please ask your question on the mailing list so that everyone can > > > >>> benefit. > > > >>> > > > > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar > > > >>> > > > > > >>> > > <sundar.deepika18(a)gmail.com&gt; wrote: > > > >>> > > > How it can be achieved ,Can I get any idea on this? > > > >>> > > > > > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore < > > paul(a)paul-moore.com&gt; > > > >>> wrote: > > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar > > > >>> > > >> > > > >>> > > >> <sowndarya.nadar(a)gmail.com&gt; wrote: > > > >>> > > >> > Hi > > > >>> > > >> > > > > >>> > > >> > Is there any way to map the PID's seen in the namespace > > > >>> application > > > >>> > > > > > >>> > > with > > > >>> > > > > > >>> > > >> > the > > > >>> > > >> > PID's seen in global? > > > >>> > > >> > If it can be done please provide the documentation or idea > > on > > > >>> how it > > > >>> > > > > > >>> > > can > > > >>> > > > > > >>> > > >> > be > > > >>> > > >> > done. > > > >>> > > >> > > > >>> > > >> In general the audit subsystem doesn't pay attention to > > > >>> namespaces, > > > >>> > > >> all PIDs reported to userspace are reported with respect to > > the > > > >>> init > > > >>> > > >> namespace. > > > >>> > > >> > > > >>> > > >> -- > > > >>> > > >> paul moore > > > >>> > > >> www.paul-moore.com > > > >>> > > >> > > > >>> > > >> -- > > > >>> > > >> Linux-audit mailing list > > > >>> > > >> Linux-audit(a)redhat.com > > > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit > > > >>> > > > > > >>> > > -- > > > >>> > > paul moore > > > >>> > > www.paul-moore.com > > > >>> > > > >>> > > > >> > > > > > > > > - RGB > > > > -- > > Richard Guy Briggs <rgb(a)redhat.com&gt; > > Kernel Security Engineering, Base Operating Systems, Red Hat > > Remote, Ottawa, Canada > > Voice: +1.647.777.2635, Internal: (81) 32635 > > - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635