On 14/05/13, Richard Guy Briggs wrote:
On 14/05/10, Eric Paris wrote:
> On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> > Generate and assign a serial number per namespace instance since boot.
> >
> > Use a serial number per namespace (unique across one boot of one kernel)
> > instead of the inode number (which is claimed to have had the right to change
> > reserved and is not necessarily unique if there is more than one proc fs) to
> > uniquely identify it per kernel boot.
> >
> > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> > ---
>
> > +/**
> > + * ns_serial - compute a serial number for the namespace
> > + *
> > + * Compute a serial number for the namespace to uniquely identify it in
> > + * audit records.
> > + */
> > +unsigned long long ns_serial(void)
> > +{
> > + static DEFINE_SPINLOCK(serial_lock);
> > + static unsigned long long serial = 4; /* reserved for IPC, UTS, user, PID */
> > + unsigned long flags;
> > +
> > + spin_lock_irqsave(&serial_lock, flags);
> > + ++serial;
> > + spin_unlock_irqrestore(&serial_lock, flags);
> > + BUG_ON(!serial);
> > +
> > + return serial;
> > +}
> > +
> > static inline struct nsproxy *create_nsproxy(void)
> > {
> > struct nsproxy *nsproxy;
>
> atomic64_t instead of doing it yourself?
I'm willing to switch to atomic64_*. Thanks for pointing out its
existence.
Same would then go for using atomic_t in audit_serial().
> and why _irqsave() ? Can we seriously create new namespaces in
irq
> context? If you use the atomic though, you don't have to worry about
> it...
Agreed. That is unlikely.
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545