PID's Mapping

Deepika Sundar sundar.deepika18 at gmail.com
Fri Apr 29 14:06:51 UTC 2016 

Thank you
>From init pid namespace How we can access the child pid-namespace PID's?
On 29-Apr-2016 7:33 pm, "Richard Guy Briggs" <rgb at redhat.com> wrote:

> On 16/04/29, Deepika Sundar wrote:
> > Thank You for the valuable Response RGB.
> >
> > As you mentioned in the above statement is what I was looking for, "There
> > is a mapping from the PID in the initial PID namespace to its PID in a
> > child PID namespace".
> > As per your context, Is it initial PID namespace is the one which is get
> > created in the "HOST"?
>
> If I understand your question, the first namespace of any type that is
> created is the initial namespace.  This set of 6 different namespace
> types are the default that are created on a newly booted kernel.
>
> > Please provide me details about how to enter into INIT-PID namespace to
> get
> > the mappings of child PID Namespace.
>
> Generally, the init process (yes, the term "init" is a bit overloaded
> here...) with PID 1 in the initial PID namespace is the starting point
> for creating all other processes.  (Some distributions have switched over
> from using "init" to using "systemd" in this role.)  If you are already
> that process or you are a process that is a child of that process and
> still in all the initial namespaces, you are already there.  If you are
> a process that is in a child PID namespace, you can't see any parent or
> peer namespaces.  This is intentional.
>
> > -DEEPIKA
> >
> > On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb at redhat.com>
> wrote:
> >
> > > On 16/04/28, Deepika Sundar wrote:
> > > > Thank you for the replies.
> > > >
> > > > As per My understanding Root as Admin it has the control over all the
> > > > namespaces.If this is correct,
> > >
> > > As per my previous email, not necessarily.
> > >
> > > > (i) Is that root should have access to all namespace relate info,
> > > >     for ex: PID's in the host is mapped to what PID's in the
> Namespace?
> > >
> > > The initial PID namespace knows about all the PIDs on the machine since
> > > the PID namespaces are hierarchical.  There is a mapping from the PID
> in
> > > the initial PID namespace to its PID in a child PID namespace.  A child
> > > PID namespace should never be able to find out what its PID is in a
> > > parent PID namespace.
> > >
> > > >   if not ,
> > > >
> > > > (ii) Init should have only access to his own process and should not
> have
> > > > access to other namespace.
> > >
> > > See above.
> > >
> > > > Is this design limitation (or) Is it designed for better security ?
> > >
> > > Both.
> > >
> > > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> > > sundar.deepika18 at gmail.com> wrote:
> > > > > As per rule root(admin) is the one who is monitoring the system's
> > > > > information .so,there must exist some namespace information in proc
> > > field
> > > > > for the namespace related PID in global.Is this the way I'm
> > > approaching to
> > > > > the namespace related stuffs is correct?
> > > > >
> > > > > -Deepika
> > > > >
> > > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > > > sundar.deepika18 at gmail.com> wrote:
> > > > >
> > > > >> Yeah.
> > > > >> When the PID's which are in the namespace application has
> different
> > > PID
> > > > >> compared to Global PID.There would be some means to  map the
> PID's in
> > > the
> > > > >> kernel level.Can anyone suggest How it can be mapped?
> > > > >>
> > > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb at redhat.com>
> > > wrote:
> > > > >>
> > > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > > > >>> > Is there any way that can be suggested as to map PID's of
> > > namespace in
> > > > >>> > global?
> > > > >>>
> > > > >>> This is on the TODO list. We have been kicking around several
> ideas
> > > but
> > > > >>> have
> > > > >>> not come to a conclusion about what exactly needs to be done. The
> > > upshot
> > > > >>> of
> > > > >>> this is that basically containers have no support.
> > > > >>>
> > > > >>> -Steve
> > > > >>>
> > > > >>>
> > > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <
> paul at paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > Please ask your question on the mailing list so that
> everyone can
> > > > >>> benefit.
> > > > >>> > >
> > > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > > > >>> > >
> > > > >>> > > <sundar.deepika18 at gmail.com> wrote:
> > > > >>> > > > How it can be achieved ,Can I get any idea on this?
> > > > >>> > > >
> > > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> > > paul at paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > > >>> > > >>
> > > > >>> > > >> <sowndarya.nadar at gmail.com> wrote:
> > > > >>> > > >> > Hi
> > > > >>> > > >> >
> > > > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > > > >>> application
> > > > >>> > >
> > > > >>> > > with
> > > > >>> > >
> > > > >>> > > >> > the
> > > > >>> > > >> > PID's seen in global?
> > > > >>> > > >> > If it can be done please provide the documentation or
> idea
> > > on
> > > > >>> how it
> > > > >>> > >
> > > > >>> > > can
> > > > >>> > >
> > > > >>> > > >> > be
> > > > >>> > > >> > done.
> > > > >>> > > >>
> > > > >>> > > >> In general the audit subsystem doesn't pay attention to
> > > > >>> namespaces,
> > > > >>> > > >> all PIDs reported to userspace are reported with respect
> to
> > > the
> > > > >>> init
> > > > >>> > > >> namespace.
> > > > >>> > > >>
> > > > >>> > > >> --
> > > > >>> > > >> paul moore
> > > > >>> > > >> www.paul-moore.com
> > > > >>> > > >>
> > > > >>> > > >> --
> > > > >>> > > >> Linux-audit mailing list
> > > > >>> > > >> Linux-audit at redhat.com
> > > > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > > > >>> > >
> > > > >>> > > --
> > > > >>> > > paul moore
> > > > >>> > > www.paul-moore.com
> > > > >>>
> > > > >>>
> > > > >>
> > > > >
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rgb at redhat.com>
> > > Kernel Security Engineering, Base Operating Systems, Red Hat
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635, Internal: (81) 32635
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160429/31a67ddc/attachment.htm>

More information about the Linux-audit mailing list