Re: [PATCH 4/8] kernfs: handle multiple namespace tags

From: Tejun Heo
Date: Mon Apr 13 2020 - 14:46:45 EST

Next message: Alexander Duyck: "Re: [Intel-wired-lan] BUG: e1000: infinitely loop at e1000_set_link_ksettings"
Previous message: Tejun Heo: "Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
In reply to: Christian Brauner: "[PATCH 4/8] kernfs: handle multiple namespace tags"
Next in thread: Christian Brauner: "[PATCH 2/8] loopfs: implement loopfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 08, 2020 at 05:21:47PM +0200, Christian Brauner wrote:
> Since [1] kernfs supports namespace tags. This feature is essential to
> enable sysfs to present different views of on various parts depending on
> the namespace tag. For example, the /sys/class/net/ directory will only
> show network devices that belong to the network namespace that sysfs was
> mounted in. This is achieved by stashing a reference to the network
> namespace of the task mounting sysfs in the super block. And when a
> lookup operation is performed on e.g. /sys/class/net/ kernfs will
> compare the network namespace tag of the kernfs_node associated with the
> device and kobject of the network device to the network namespace of the
> network device. This ensures that only network devices owned by the
> network namespace sysfs was mounted in are shown, a feature which is
> essential to containers.
> For loopfs to show correct permissions in sysfs just as with network
> devices we need to be able to tag kernfs_super_info with additional
> namespaces. This extension was even already mentioned in a comment to
> struct kernfs_super_info:
> /*
> * Each sb is associated with one namespace tag, currently the
> * network namespace of the task which mounted this kernfs
> * instance. If multiple tags become necessary, make the following
> * an array and compare kernfs_node tag against every entry.
> */
> This patch extends the kernfs_super_info and kernfs_fs_context ns
> pointers to fixed-size arrays of namespace tags. The size is taken from
> the namespaces currently supported by kobjects, i.e. we don't extend it
> to cover all namespace but only the ones kernfs needs to support.
> In addition, the kernfs_node struct gains an additional member that
> indicates the type of namespace this kernfs_node was tagged with. This
> allows us to simply retrieve the correct namespace tag from the
> kernfs_fs_context and kernfs_super_info ns array with a simple indexing
> operation. This has the advantage that we can just keep passing down the
> correct namespace instead of passing down the array.
>
> [1]: 608b4b9548de ("netns: Teach network device kobjects which namespace they are in.")
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx>

Acked-by: Tejun Heo <tj@xxxxxxxxxx>

Thanks.

--
tejun

Next message: Alexander Duyck: "Re: [Intel-wired-lan] BUG: e1000: infinitely loop at e1000_set_link_ksettings"
Previous message: Tejun Heo: "Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
In reply to: Christian Brauner: "[PATCH 4/8] kernfs: handle multiple namespace tags"
Next in thread: Christian Brauner: "[PATCH 2/8] loopfs: implement loopfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]