diff options
author | Andrey Vagin <avagin@openvz.org> | 2016-09-06 00:47:14 -0700 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2016-09-22 19:59:40 -0500 |
commit | 6786741dbf99e44fb0c0ed85a37582b8a26f1c3b (patch) | |
tree | c6d4f7bbb9920c79f6a6393d0900bd850507c37a /include/uapi/linux | |
parent | bcac25a58bfc6bd79191ac5d7afb49bea96da8c9 (diff) | |
download | linux-6786741dbf99e44fb0c0ed85a37582b8a26f1c3b.tar.gz linux-6786741dbf99e44fb0c0ed85a37582b8a26f1c3b.tar.bz2 linux-6786741dbf99e44fb0c0ed85a37582b8a26f1c3b.zip |
nsfs: add ioctl to get an owning user namespace for ns file descriptor
Each namespace has an owning user namespace and now there is not way
to discover these relationships.
Understending namespaces relationships allows to answer the question:
what capability does process X have to perform operations on a resource
governed by namespace Y?
After a long discussion, Eric W. Biederman proposed to use ioctl-s for
this purpose.
The NS_GET_USERNS ioctl returns a file descriptor to an owning user
namespace.
It returns EPERM if a target namespace is outside of a current user
namespace.
v2: rename parent to relative
v3: Add a missing mntput when returning -EAGAIN --EWB
Acked-by: Serge Hallyn <serge@hallyn.com>
Link: https://lkml.org/lkml/2016/7/6/158
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'include/uapi/linux')
-rw-r--r-- | include/uapi/linux/nsfs.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/include/uapi/linux/nsfs.h b/include/uapi/linux/nsfs.h new file mode 100644 index 000000000000..5cacd5c1b5d7 --- /dev/null +++ b/include/uapi/linux/nsfs.h @@ -0,0 +1,11 @@ +#ifndef __LINUX_NSFS_H +#define __LINUX_NSFS_H + +#include <linux/ioctl.h> + +#define NSIO 0xb7 + +/* Returns a file descriptor that refers to an owning user namespace */ +#define NS_GET_USERNS _IO(NSIO, 0x1) + +#endif /* __LINUX_NSFS_H */ |