linux-pinenote/Documentation/namespaces/compatibility-list.txt

	Namespaces compatibility list

This document contains the information about the problems user
may have when creating tasks living in different namespaces.

Here's the summary. This matrix shows the known problems, that
occur when tasks share some namespace (the columns) while living
in different other namespaces (the rows):

	UTS	IPC	VFS	PID	User	Net
UTS	 X
IPC		 X	 1
VFS			 X
PID		 1	 1	 X
User		 2	 2		 X
Net						 X

1. Both the IPC and the PID namespaces provide IDs to address
   object inside the kernel. E.g. semaphore with IPCID or
   process group with pid.

   In both cases, tasks shouldn't try exposing this ID to some
   other task living in a different namespace via a shared filesystem
   or IPC shmem/message. The fact is that this ID is only valid
   within the namespace it was obtained in and may refer to some
   other object in another namespace.

2. Intentionally, two equal user IDs in different user namespaces
   should not be equal from the VFS point of view. In other
   words, user 10 in one user namespace shouldn't have the same
   access permissions to files, belonging to user 10 in another
   namespace.

   The same is true for the IPC namespaces being shared - two users
   from different user namespaces should not access the same IPC objects
   even having equal UIDs.

   But currently this is not so.
The namespaces compatibility list doc People discuss how the namespaces are working/going-to-work together. Ted Ts'o proposed to create some document that describes what problems user may have when he/she creates some new namespace, but keeps others shared. I liked this idea, so here's the initial version of such a document with the problems I currently have in mind and can describe somewhat audibly - the "namespaces compatibility list". The Documentation/namespaces/ directory is about to contain more docs about the namespaces stuff. Thanks to Cedirc for notes and spell checks on the doc, to Daniel for additional info about IPC and User namespaces interaction and to Randy, who alluded me to using a spell checker before sending the documentation :) Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Cc: Randy Dunlap <randy.dunlap@oracle.com> Cc: Daniel Lezcano <dlezcano@fr.ibm.com> Cc: Theodore Tso <tytso@mit.edu> Cc: Cedric Le Goater <clg@fr.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-11-28 16:21:39 -08:00			`Namespaces compatibility list`

			`This document contains the information about the problems user`
			`may have when creating tasks living in different namespaces.`

			`Here's the summary. This matrix shows the known problems, that`
			`occur when tasks share some namespace (the columns) while living`
			`in different other namespaces (the rows):`

			`UTS IPC VFS PID User Net`
			`UTS X`
			`IPC X 1`
			`VFS X`
			`PID 1 1 X`
			`User 2 2 X`
			`Net X`

			`1. Both the IPC and the PID namespaces provide IDs to address`
			`object inside the kernel. E.g. semaphore with IPCID or`
			`process group with pid.`

			`In both cases, tasks shouldn't try exposing this ID to some`
			`other task living in a different namespace via a shared filesystem`
			`or IPC shmem/message. The fact is that this ID is only valid`
			`within the namespace it was obtained in and may refer to some`
			`other object in another namespace.`

			`2. Intentionally, two equal user IDs in different user namespaces`
			`should not be equal from the VFS point of view. In other`
			`words, user 10 in one user namespace shouldn't have the same`
			`access permissions to files, belonging to user 10 in another`
			`namespace.`

			`The same is true for the IPC namespaces being shared - two users`
			`from different user namespaces should not access the same IPC objects`
			`even having equal UIDs.`

			`But currently this is not so.`