Le mardi 25 octobre 2016 à 17:53 +0100, David Howells a écrit : > David Howells <dhowells@xxxxxxxxxx> wrote: > > > > > (2) If a process's user_namespace doesn't match that recorded in a > > key then > > it gets ENOKEY if it tries to refer to it or access it and > > can't see it > > in /proc/keys. > > There's another possibility here - since user_namespaces are > hierarchical, > does it make sense to let a process see keys that are in an ancestral > namespace? > > David > -- Hello all, I used this approach for PTags. Let me explain how it works for PTags in few words. - each ptags is in fact a couple (user-namespace, ptag-name, flags) - when looking to tags in a given namespace: o either it is found with the given current name-space o or the ancestor-hierarchy of name-spaces is looked to get the containing ancestor - in both case when a tag is found, the flag indicates if it is alive or was removed in the namespace It works well (from what I sew 8) Technical details: - assumption is done that ancestors wait their children to die - shadow-ghost pointers are used to weakly handle user namespaces Best regards José Bollo > To unsubscribe from this list: send the line "unsubscribe linux- > security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
