Re: [PATCH 11/15] Signal semantics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

sukadev@xxxxxxxxxx wrote:

Serge E. Hallyn [serue@xxxxxxxxxx] wrote:
| Quoting sukadev@xxxxxxxxxx (sukadev@xxxxxxxxxx):
| > Pavel Emelianov [xemul@xxxxxxxxxx] wrote:
| > | Oleg Nesterov wrote:
| > | >(What about ptrace_attach() btw? If it is possible to send a signal to init
| > | > from the "parent" namespace, perhaps it makes sense to allow ptracing as
| > | > well).
| > | | > | ptracing of tasks fro different namespaces is not possible at all, since 
| > | strace utility determines the fork()-ed child pid from the parent's eax
| > | register, which would contain the pid value as this parent sees his child.
| > | But if the strace is in different namespace - it won't be able to find
| > | this child with the pid value from parent's eax.
| > | | > | Maybe it's worth disabling cross-namespaces ptracing... | > | > I think so too. Its probably not a serious limitation ? | | Several people think we will implement 'namespace entering' through a 
| ptrace hack, where maybe the admin ptraces the init in a child pidns,
| makes it fork, and makes the child execute what it wants (i.e. ps -ef).
| | You're talking about killing that functionality? 

No. I was only thinking in terms of debugging container init and missed
the namespace entering part.

Pavel, I am not sure I understand your comment about being unable to
ptrace() a child ns. 

Ok. We have a task with pid 100, which tries to clone the new namespace.
This task fork-s and we have a new task with a couple of pids (101, 1).
Then this "init" forks again and we have the third task with pids (102, 2).
The problem is that when the 3rd task appears the return value from fork(),
that is - the new task's pid as it is seen by it's parent (2nd task), will
go to eax register (for i386) and it will be 2! But the prtaces from the
initial namespace cannot address this task with pid 2.


BTW, I am able to gdb a process (incl container-init) from parent ns now.


Debugging separate processes is possible, but when this task starts forking
with namespaces creation - this becomes impossible.
| | -serge 



_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux