diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2010-03-07 19:41:34 -0500 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2011-05-10 17:31:44 -0400 |
| commit | 6b4e306aa3dc94a0545eb9279475b1ab6209a31f (patch) | |
| tree | ca8c6dec0805076f0b5ba7c547e3cb2004e3aea2 /fs/proc/base.c | |
| parent | 0ee5623f9a6e52df90a78bd21179f8ab370e102e (diff) | |
ns: proc files for namespace naming policy.
Create files under /proc/<pid>/ns/ to allow controlling the
namespaces of a process.
This addresses three specific problems that can make namespaces hard to
work with.
- Namespaces require a dedicated process to pin them in memory.
- It is not possible to use a namespace unless you are the child
of the original creator.
- Namespaces don't have names that userspace can use to talk about
them.
The namespace files under /proc/<pid>/ns/ can be opened and the
file descriptor can be used to talk about a specific namespace, and
to keep the specified namespace alive.
A namespace can be kept alive by either holding the file descriptor
open or bind mounting the file someplace else. aka:
mount --bind /proc/self/ns/net /some/filesystem/path
mount --bind /proc/self/fd/<N> /some/filesystem/path
This allows namespaces to be named with userspace policy.
It requires additional support to make use of these filedescriptors
and that will be comming in the following patches.
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'fs/proc/base.c')
| -rw-r--r-- | fs/proc/base.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index dfa532730e55..dc8bca72b002 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c | |||
| @@ -600,7 +600,7 @@ static int proc_fd_access_allowed(struct inode *inode) | |||
| 600 | return allowed; | 600 | return allowed; |
| 601 | } | 601 | } |
| 602 | 602 | ||
| 603 | static int proc_setattr(struct dentry *dentry, struct iattr *attr) | 603 | int proc_setattr(struct dentry *dentry, struct iattr *attr) |
| 604 | { | 604 | { |
| 605 | int error; | 605 | int error; |
| 606 | struct inode *inode = dentry->d_inode; | 606 | struct inode *inode = dentry->d_inode; |
| @@ -1736,8 +1736,7 @@ static int task_dumpable(struct task_struct *task) | |||
| 1736 | return 0; | 1736 | return 0; |
| 1737 | } | 1737 | } |
| 1738 | 1738 | ||
| 1739 | 1739 | struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *task) | |
| 1740 | static struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *task) | ||
| 1741 | { | 1740 | { |
| 1742 | struct inode * inode; | 1741 | struct inode * inode; |
| 1743 | struct proc_inode *ei; | 1742 | struct proc_inode *ei; |
| @@ -1779,7 +1778,7 @@ out_unlock: | |||
| 1779 | return NULL; | 1778 | return NULL; |
| 1780 | } | 1779 | } |
| 1781 | 1780 | ||
| 1782 | static int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) | 1781 | int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) |
| 1783 | { | 1782 | { |
| 1784 | struct inode *inode = dentry->d_inode; | 1783 | struct inode *inode = dentry->d_inode; |
| 1785 | struct task_struct *task; | 1784 | struct task_struct *task; |
| @@ -1820,7 +1819,7 @@ static int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat | |||
| 1820 | * made this apply to all per process world readable and executable | 1819 | * made this apply to all per process world readable and executable |
| 1821 | * directories. | 1820 | * directories. |
| 1822 | */ | 1821 | */ |
| 1823 | static int pid_revalidate(struct dentry *dentry, struct nameidata *nd) | 1822 | int pid_revalidate(struct dentry *dentry, struct nameidata *nd) |
| 1824 | { | 1823 | { |
| 1825 | struct inode *inode; | 1824 | struct inode *inode; |
| 1826 | struct task_struct *task; | 1825 | struct task_struct *task; |
| @@ -1862,7 +1861,7 @@ static int pid_delete_dentry(const struct dentry * dentry) | |||
| 1862 | return !proc_pid(dentry->d_inode)->tasks[PIDTYPE_PID].first; | 1861 | return !proc_pid(dentry->d_inode)->tasks[PIDTYPE_PID].first; |
| 1863 | } | 1862 | } |
| 1864 | 1863 | ||
| 1865 | static const struct dentry_operations pid_dentry_operations = | 1864 | const struct dentry_operations pid_dentry_operations = |
| 1866 | { | 1865 | { |
| 1867 | .d_revalidate = pid_revalidate, | 1866 | .d_revalidate = pid_revalidate, |
| 1868 | .d_delete = pid_delete_dentry, | 1867 | .d_delete = pid_delete_dentry, |
| @@ -1870,9 +1869,6 @@ static const struct dentry_operations pid_dentry_operations = | |||
| 1870 | 1869 | ||
| 1871 | /* Lookups */ | 1870 | /* Lookups */ |
| 1872 | 1871 | ||
| 1873 | typedef struct dentry *instantiate_t(struct inode *, struct dentry *, | ||
| 1874 | struct task_struct *, const void *); | ||
| 1875 | |||
| 1876 | /* | 1872 | /* |
| 1877 | * Fill a directory entry. | 1873 | * Fill a directory entry. |
| 1878 | * | 1874 | * |
| @@ -1885,8 +1881,8 @@ typedef struct dentry *instantiate_t(struct inode *, struct dentry *, | |||
| 1885 | * reported by readdir in sync with the inode numbers reported | 1881 | * reported by readdir in sync with the inode numbers reported |
| 1886 | * by stat. | 1882 | * by stat. |
| 1887 | */ | 1883 | */ |
| 1888 | static int proc_fill_cache(struct file *filp, void *dirent, filldir_t filldir, | 1884 | int proc_fill_cache(struct file *filp, void *dirent, filldir_t filldir, |
| 1889 | char *name, int len, | 1885 | const char *name, int len, |
| 1890 | instantiate_t instantiate, struct task_struct *task, const void *ptr) | 1886 | instantiate_t instantiate, struct task_struct *task, const void *ptr) |
| 1891 | { | 1887 | { |
| 1892 | struct dentry *child, *dir = filp->f_path.dentry; | 1888 | struct dentry *child, *dir = filp->f_path.dentry; |
| @@ -2820,6 +2816,7 @@ static const struct pid_entry tgid_base_stuff[] = { | |||
| 2820 | DIR("task", S_IRUGO|S_IXUGO, proc_task_inode_operations, proc_task_operations), | 2816 | DIR("task", S_IRUGO|S_IXUGO, proc_task_inode_operations, proc_task_operations), |
| 2821 | DIR("fd", S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations), | 2817 | DIR("fd", S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations), |
| 2822 | DIR("fdinfo", S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations), | 2818 | DIR("fdinfo", S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations), |
| 2819 | DIR("ns", S_IRUSR|S_IXUGO, proc_ns_dir_inode_operations, proc_ns_dir_operations), | ||
| 2823 | #ifdef CONFIG_NET | 2820 | #ifdef CONFIG_NET |
| 2824 | DIR("net", S_IRUGO|S_IXUGO, proc_net_inode_operations, proc_net_operations), | 2821 | DIR("net", S_IRUGO|S_IXUGO, proc_net_inode_operations, proc_net_operations), |
| 2825 | #endif | 2822 | #endif |
| @@ -3168,6 +3165,7 @@ out_no_task: | |||
| 3168 | static const struct pid_entry tid_base_stuff[] = { | 3165 | static const struct pid_entry tid_base_stuff[] = { |
| 3169 | DIR("fd", S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations), | 3166 | DIR("fd", S_IRUSR|S_IXUSR, proc_fd_inode_operations, proc_fd_operations), |
| 3170 | DIR("fdinfo", S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations), | 3167 | DIR("fdinfo", S_IRUSR|S_IXUSR, proc_fdinfo_inode_operations, proc_fdinfo_operations), |
| 3168 | DIR("ns", S_IRUSR|S_IXUGO, proc_ns_dir_inode_operations, proc_ns_dir_operations), | ||
| 3171 | REG("environ", S_IRUSR, proc_environ_operations), | 3169 | REG("environ", S_IRUSR, proc_environ_operations), |
| 3172 | INF("auxv", S_IRUSR, proc_pid_auxv), | 3170 | INF("auxv", S_IRUSR, proc_pid_auxv), |
| 3173 | ONE("status", S_IRUGO, proc_pid_status), | 3171 | ONE("status", S_IRUGO, proc_pid_status), |