PID's Mapping

Fri Apr 29 02:37:33 UTC 2016

On 16/04/28, Deepika Sundar wrote:
> Thank you for the replies.
> 
> As per My understanding Root as Admin it has the control over all the
> namespaces.If this is correct,

As per my previous email, not necessarily.

> (i) Is that root should have access to all namespace relate info,
>     for ex: PID's in the host is mapped to what PID's in the Namespace?

The initial PID namespace knows about all the PIDs on the machine since
the PID namespaces are hierarchical.  There is a mapping from the PID in
the initial PID namespace to its PID in a child PID namespace.  A child
PID namespace should never be able to find out what its PID is in a
parent PID namespace.

>   if not ,
> 
> (ii) Init should have only access to his own process and should not have
> access to other namespace.

See above.

> Is this design limitation (or) Is it designed for better security ?

Both.

> On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <sundar.deepika18 at gmail.com> wrote:
> > As per rule root(admin) is the one who is monitoring the system's
> > information .so,there must exist some namespace information in proc field
> > for the namespace related PID in global.Is this the way I'm approaching to
> > the namespace related stuffs is correct?
> >
> > -Deepika
> >
> > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > sundar.deepika18 at gmail.com> wrote:
> >
> >> Yeah.
> >> When the PID's which are in the namespace application has different PID
> >> compared to Global PID.There would be some means to  map the PID's in the
> >> kernel level.Can anyone suggest How it can be mapped?
> >>
> >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> >>
> >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >>> > Is there any way that can be suggested as to map PID's of namespace in
> >>> > global?
> >>>
> >>> This is on the TODO list. We have been kicking around several ideas but
> >>> have
> >>> not come to a conclusion about what exactly needs to be done. The upshot
> >>> of
> >>> this is that basically containers have no support.
> >>>
> >>> -Steve
> >>>
> >>>
> >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul at paul-moore.com>
> >>> wrote:
> >>> > > Please ask your question on the mailing list so that everyone can
> >>> benefit.
> >>> > >
> >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >>> > >
> >>> > > <sundar.deepika18 at gmail.com> wrote:
> >>> > > > How it can be achieved ,Can I get any idea on this?
> >>> > > >
> >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul at paul-moore.com>
> >>> wrote:
> >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >>> > > >>
> >>> > > >> <sowndarya.nadar at gmail.com> wrote:
> >>> > > >> > Hi
> >>> > > >> >
> >>> > > >> > Is there any way to map the PID's seen in the namespace
> >>> application
> >>> > >
> >>> > > with
> >>> > >
> >>> > > >> > the
> >>> > > >> > PID's seen in global?
> >>> > > >> > If it can be done please provide the documentation or idea on
> >>> how it
> >>> > >
> >>> > > can
> >>> > >
> >>> > > >> > be
> >>> > > >> > done.
> >>> > > >>
> >>> > > >> In general the audit subsystem doesn't pay attention to
> >>> namespaces,
> >>> > > >> all PIDs reported to userspace are reported with respect to the
> >>> init
> >>> > > >> namespace.
> >>> > > >>
> >>> > > >> --
> >>> > > >> paul moore
> >>> > > >> www.paul-moore.com
> >>> > > >>
> >>> > > >> --
> >>> > > >> Linux-audit mailing list
> >>> > > >> Linux-audit at redhat.com
> >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >>> > >
> >>> > > --
> >>> > > paul moore
> >>> > > www.paul-moore.com
> >>>
> >>>
> >>
> >

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635