[knem-devel] namespace support

Brice Goglin Brice.Goglin at inria.fr
Thu Sep 5 15:52:39 CEST 2019


Le 03/09/2019 à 17:08, Dave Love a écrit :
> Brice Goglin <Brice.Goglin at inria.fr> writes:
>
>> Hello
>>
>> I have never tested this. I would hope it would work because we have our
>> own abstraction to identify processes without namespace-specific PIDs,
>> etc. One thing that might need to be checked is the case where UIDs are
>> different between namespace, I don't know if that would work (by
>> default, regions are only accessible to processes owned by the same user).
>>
>> Brice
> Yes, the question was really whether different uid namespaces are a
> potential security issue.  That seems to be a general question for
> add-on modules that have anything to do with access control.  (I
> wouldn't do that for HPC, of course, but some people think things like
> Docker are a good idea on multi-access systems...  It's moot for Docker,
> but maybe not for podman et al.)


It looks like we're good:

* if one process does unshare(CLONE_NEWUSER), it becomes "nobody" in
that namespace but it can still communicate with my original processes
outside of that namespace (belonging to bgoglin)

* if the original process does setuid(65534) to effectively become
"nobody" too, communication with the other "nobody" fails with EPERM.

Brice




More information about the knem-devel mailing list