Re: [PATCH -mm 5/7] add user namespace

[Eric W. Biederman]

Dave Hansen <haveblue@xxxxxxxxxx> writes:

> On Thu, 2006-07-13 at 12:14 -0600, Eric W. Biederman wrote:
>> Maybe.  I really think the sane semantics are in a different uid namespace.
>> So you can't assumes uids are the same.  Otherwise you can't handle open
>> file descriptors or files passed through unix domain sockets.
>
> Eric, could you explain this a little bit more?  I'm not sure I
> understand the details of why this is a problem?

Very simply.

In the presence of a user namespace.  
All comparisons of a user equality need to be of the tuple (user namespace, user id).
Any comparison that does not do that is an optimization.

Because you can have access to files created in another user namespace it
is very unlikely that optimization will apply very frequently.  The easy scenario
to get access to a file descriptor from another context is to consider unix
domain sockets.

So my impression was that Cedric's patchset was overoptimized because
it did not change most of the uid comparisons, to (user namespace, user id).

This is one of those strange cases where the optimization is less work
because it means not applying a patch.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/