Richard Guy Briggs | 22 Apr 20:12 2014
Picon

[PATCH 0/2] namespaces: log namespaces per task

I saw no replies to my questions when I replied a year after Aris' posting, so
I don't know if it was ignored or got lost in stale threads:
        https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html
        https://www.redhat.com/archives/linux-audit/2013-March/msg00033.html
	(https://lists.linux-foundation.org/pipermail/containers/2013-March/032063.html)
        https://www.redhat.com/archives/linux-audit/2014-January/msg00180.html

I've tried to answer a number of questions that were raised in that thread.

The goal is not quite identical to Aris' patchset.

The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.  The first patch defines a function to list them.
The second patch provides an example of usage for audit_log_task_info() which
is used by syscall audits, among others.  audit_log_task() and
audit_common_recv_message() would be other potential use cases.

Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs).  It
could be argued that the inode numbers have now become a defacto interface and
can't change now, but I'm proposing this approach to see if this helps address
some of the objections to the earlier patchset.

There could also have messages added to track the creation and the destruction
of namespaces, listing the parent for hierarchical namespaces such as pidns,
userns, and listing other ids for non-hierarchical namespaces, as well as other
information to help identify a namespace.

There has been some progress made for audit in net namespaces and pid
(Continue reading)

Chen Hanxiao | 22 Apr 12:03 2014

[PATCH] ns: Introduce pid_in_ns under /proc

We lacked of convenient method of getting the pid inside containers.
If some issues occurred inside container guest, host user
could not know which process is in trouble just by guest pid:
the users of container guest only knew the pid inside containers.
This will bring obstacle for trouble shooting.

This patch introduces pid_in_ns:
If one process is in init_pid_ns, /proc/PID/pid_in_ns
equals to /proc/PID;
if one process is in pidns, /proc/PID/pid_in_ns
will tell the pid inside containers;
if pidns is nested, it depends on which pidns are you in.

Signed-off-by: Chen Hanxiao <chenhanxiao@...>
---
 fs/proc/array.c    | 13 +++++++++++++
 fs/proc/base.c     |  1 +
 fs/proc/internal.h |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 64db2bc..8c3014b 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
 <at>  <at>  -562,6 +562,19  <at>  <at>  int proc_tgid_stat(struct seq_file *m, struct pid_namespace *ns,
 	return do_task_stat(m, ns, pid, task, 1);
 }

+int proc_pid_in_ns(struct seq_file *m, struct pid_namespace *ns,
+			struct pid *pid, struct task_struct *task)
(Continue reading)

Jianyu Zhan | 22 Apr 08:30 2014
Picon

[PATCH 0/4] cgroup: substitude per-cgroup id with per-subsys id

Currently, cgrp->id is only used to look up css's.  As cgroup and
css's lifetimes is now decoupled, it should be made per-subsystem
and moved to css->css_id so that lookups are successful until the
target css is released.

Patch 1-3 are prep patches.
Patch 4 do the coverting job.

Thanks!

Jianyu Zhan (4):
  cgroup: introduce helper css_to_id()
  mm/memcontrol.c: use accessor to get id from css
  netprio_cgroup: use accessor to get id from css
  cgroup: convert from per-cgroup id to per-subsys id

 include/linux/cgroup.h    | 27 ++++++-------
 kernel/cgroup.c           | 96 +++++++++++++++++++++++++----------------------
 mm/memcontrol.c           |  8 ++--
 net/core/netprio_cgroup.c |  8 ++--
 4 files changed, 74 insertions(+), 65 deletions(-)

--

-- 
2.0.0-rc0
Jianyu Zhan | 22 Apr 07:44 2014
Picon

[PATCH] cgroup: use uninitialized_var() for may-be uninitialized variable

To suppress this warning:

 warning: ‘err’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  int err;
	^

Use the uninitialized_var() to decalre err. It also serves to be good documetation.

Signed-off-by: Jianyu Zhan <nasa4836 <at> gmail.com>
---
 kernel/cgroup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 24675f5..930569c 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -4144,7 +4144,7  <at>  <at>  static int create_css(struct cgroup *cgrp, struct cgroup_subsys *ss)
 {
 	struct cgroup *parent = cgrp->parent;
 	struct cgroup_subsys_state *css;
-	int err;
+	int uninitialized_var(err);

 	lockdep_assert_held(&cgroup_mutex);

--

-- 
2.0.0-rc0

_______________________________________________
(Continue reading)

Jianyu Zhan | 22 Apr 07:30 2014
Picon

[PATCH] hugetlb_cgroup: explicitly init the early_init field

For a cgroup subsystem who should init early, then it should carefully
take care of the implementation of css_alloc, because it will be called
before mm_init() setup the world.

Luckily we don't, and we better explicitly assign the early_init field
to 0, for document reason.

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 mm/hugetlb_cgroup.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/hugetlb_cgroup.c b/mm/hugetlb_cgroup.c
index 595d7fd..b5368f8 100644
--- a/mm/hugetlb_cgroup.c
+++ b/mm/hugetlb_cgroup.c
 <at>  <at>  -405,4 +405,5  <at>  <at>  struct cgroup_subsys hugetlb_cgrp_subsys = {
 	.css_alloc	= hugetlb_cgroup_css_alloc,
 	.css_offline	= hugetlb_cgroup_css_offline,
 	.css_free	= hugetlb_cgroup_css_free,
+	.early_init	= 0,
 };
--

-- 
2.0.0-rc0
Jianyu Zhan | 22 Apr 07:28 2014
Picon

[PATCH] cgroup_freezer: explicitly init the early_init field

For a cgroup subsystem who should init early, then it should carefully
take care of the implementation of css_alloc, because it will be called
before mm_init() setup the world.

Luckily we don't, and we better explicitly assign the early_init field
to 0, for document reason.

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 kernel/cgroup_freezer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/cgroup_freezer.c b/kernel/cgroup_freezer.c
index 2bc4a22..74fe7f7 100644
--- a/kernel/cgroup_freezer.c
+++ b/kernel/cgroup_freezer.c
 <at>  <at>  -501,4 +501,5  <at>  <at>  struct cgroup_subsys freezer_cgrp_subsys = {
 	.attach		= freezer_attach,
 	.fork		= freezer_fork,
 	.base_cftypes	= files,
+	.early_init	= 0,
 };
--

-- 
2.0.0-rc0
Jianyu Zhan | 22 Apr 07:27 2014
Picon

[PATCH] cgroup: explicitly init the early_init field

For a cgroup subsystem who should init early, then it should carefully
take care of the implementation of css_alloc, because it will be called
before mm_init() setup the world.

Luckily we don't, and we better explicitly assign the early_init field
to 0, for document reason.

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 kernel/cgroup.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 559f822..f23cb67 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -5325,5 +5325,6  <at>  <at>  struct cgroup_subsys debug_cgrp_subsys = {
 	.css_alloc = debug_css_alloc,
 	.css_free = debug_css_free,
 	.base_cftypes = debug_files,
+	.early_init = 0,
 };
 #endif /* CONFIG_CGROUP_DEBUG */
--

-- 
2.0.0-rc0
Takeshi Misawa | 19 Apr 14:52 2014
Picon

[PATCH] cgroup:cgroup_mount: Fix uninitialized warning

This patch fixes the following warning.

kernel/cgroup.c: In function ‘cgroup_mount’:
kernel/cgroup.c:1609:13: warning: ‘root’ may be used uninitialized in this
function

Signed-off-by: Takeshi Misawa <jeantsuru <at> gmail.com>
---
 kernel/cgroup.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 9fcdaa7..ba03421 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -1483,7 +1483,7  <at>  <at>  static struct dentry *cgroup_mount(struct
file_system_type *fs_type,
                         int flags, const char *unused_dev_name,
                         void *data)
 {
-       struct cgroup_root *root;
+       struct cgroup_root *root = NULL;
        struct cgroup_sb_opts opts;
        struct dentry *dentry;
        int ret;
 <at>  <at>  -1604,6 +1604,11  <at>  <at>  out_unlock:
        if (ret)
                return ERR_PTR(ret);

+       if (!root) {
(Continue reading)

Jianyu Zhan | 17 Apr 17:29 2014
Picon

[PATCH 1/3] cgroup: clean up obsolete comment for parse_cgroupfs_options()

Commit 1d5be6b287c8efc87(cgroup: move module ref handling into
rebind_subsystems()) makes parse_cgroupfs_options() no longer
takes refcounts on subsystems.

And unified hierachy makes parse_cgroupfs_options not need to
call with cgroup_mutex held to protect the cgroup_subsys[].

So this patch cleanups these comment and BUG_ON().

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 kernel/cgroup.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 2412cb7..b261798 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -1222,10 +1222,7  <at>  <at>  struct cgroup_sb_opts {
 };

 /*
- * Convert a hierarchy specifier into a bitmask of subsystems and
- * flags. Call with cgroup_mutex held to protect the cgroup_subsys[]
- * array. This function takes refcounts on subsystems to be used, unless it
- * returns error, in which case no refcounts are taken.
+ * Convert a hierarchy specifier into a bitmask of subsystems and flags.
  */
 static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
 {
(Continue reading)

Jianyu Zhan | 17 Apr 17:29 2014
Picon

[PATCH 2/3] cgroup: remove orphaned cgroup_pidlist_seq_operations

Commit 6612f05b88fa309c9(cgroup: unify pidlist and other file handling)
has removed the only user of cgroup_pidlist_seq_operations :
cgroup_pidlist_open().

This patch removes it.

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 kernel/cgroup.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index b261798..38a9cd0 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -3883,17 +3883,6  <at>  <at>  static int cgroup_pidlist_show(struct seq_file *s, void *v)
 	return seq_printf(s, "%d\n", *(int *)v);
 }

-/*
- * seq_operations functions for iterating on pidlists through seq_file -
- * independent of whether it's tasks or procs
- */
-static const struct seq_operations cgroup_pidlist_seq_operations = {
-	.start = cgroup_pidlist_start,
-	.stop = cgroup_pidlist_stop,
-	.next = cgroup_pidlist_next,
-	.show = cgroup_pidlist_show,
-};
-
(Continue reading)

Jianyu Zhan | 17 Apr 17:28 2014
Picon

[PATCH 3/3] cgroup: replace pr_warning with preferred pr_warn

As suggested by scripts/checkpatch.pl, substitude all pr_warning()
with pr_warn.

No functional change.

Signed-off-by: Jianyu Zhan <nasa4836@...>
---
 kernel/cgroup.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 38a9cd0..2b436e2 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
 <at>  <at>  -1126,9 +1126,9  <at>  <at>  static int rebind_subsystems(struct cgroup_root *dst_root,
 		 * Just warn about it and continue.
 		 */
 		if (cgrp_dfl_root_visible) {
-			pr_warning("cgroup: failed to create files (%d) while rebinding 0x%lx to default root\n",
+			pr_warn("cgroup: failed to create files (%d) while rebinding 0x%lx to default root\n",
 				   ret, ss_mask);
-			pr_warning("cgroup: you may retry by moving them to a different hierarchy and unbinding\n");
+			pr_warn("cgroup: you may retry by moving them to a different hierarchy and unbinding\n");
 		}
 	}

 <at>  <at>  -1326,7 +1326,7  <at>  <at>  static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
 	/* Consistency checks */

 	if (opts->flags & CGRP_ROOT_SANE_BEHAVIOR) {
(Continue reading)


Gmane