PID's Mapping
Richard Guy Briggs
rgb at redhat.com
Fri Apr 29 02:33:28 UTC 2016
On 16/04/27, Deepika Sundar wrote:
> As per rule root(admin) is the one who is monitoring the system's
> information .so,there must exist some namespace information in proc field
> for the namespace related PID in global.Is this the way I'm approaching to
> the namespace related stuffs is correct?
I'm having some trouble parsing your text, but I'll try to answer the
question.
"root" is not necessarily omniscient as it has been assumed to be
frequently in the past. This is true of Linux Capabilities and I
believe SELinux.
It is possible for a process to be owned by "root" (UID 0) in a
non-initial PID namespace and it would not have access to initial PID
namespace information nor any of the other PID namespaces that are not
children of its own PID namespace.
Anything visible from the proc filesystem should be relative to the
namespaces of the process requesting it.
This gets into a whole lot of discussion about Linux kernel namespaces
in general, and I'd recommend you seek out articles about the six Linux
kernel namespaces on Linux Weekly News (lwn.net) on the topic.
> -Deepika
>
> On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <sundar.deepika18 at gmail.com wrote:
> > Yeah.
> > When the PID's which are in the namespace application has different PID
> > compared to Global PID.There would be some means to map the PID's in the
> > kernel level.Can anyone suggest How it can be mapped?
> >
> > On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> >
> >> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >> > Is there any way that can be suggested as to map PID's of namespace in
> >> > global?
> >>
> >> This is on the TODO list. We have been kicking around several ideas but
> >> have
> >> not come to a conclusion about what exactly needs to be done. The upshot
> >> of
> >> this is that basically containers have no support.
> >>
> >> -Steve
> >>
> >>
> >> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul at paul-moore.com>
> >> wrote:
> >> > > Please ask your question on the mailing list so that everyone can
> >> benefit.
> >> > >
> >> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >> > >
> >> > > <sundar.deepika18 at gmail.com> wrote:
> >> > > > How it can be achieved ,Can I get any idea on this?
> >> > > >
> >> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul at paul-moore.com>
> >> wrote:
> >> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >> > > >>
> >> > > >> <sowndarya.nadar at gmail.com> wrote:
> >> > > >> > Hi
> >> > > >> >
> >> > > >> > Is there any way to map the PID's seen in the namespace
> >> application
> >> > >
> >> > > with
> >> > >
> >> > > >> > the
> >> > > >> > PID's seen in global?
> >> > > >> > If it can be done please provide the documentation or idea on
> >> how it
> >> > >
> >> > > can
> >> > >
> >> > > >> > be
> >> > > >> > done.
> >> > > >>
> >> > > >> In general the audit subsystem doesn't pay attention to namespaces,
> >> > > >> all PIDs reported to userspace are reported with respect to the
> >> init
> >> > > >> namespace.
> >> > > >>
> >> > > >> --
> >> > > >> paul moore
> >> > > >> www.paul-moore.com
> >> > > >>
> >> > > >> --
> >> > > >> Linux-audit mailing list
> >> > > >> Linux-audit at redhat.com
> >> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >> > >
> >> > > --
> >> > > paul moore
> >> > > www.paul-moore.com
> >>
> >>
> >
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list