From 882e1a40dcd84611289e680affcbc5e03e275b56 Mon Sep 17 00:00:00 2001 From: Cholerae Hu Date: Wed, 18 Nov 2015 12:43:55 +0800 Subject: [PATCH 1/4] add raw englist txt Signed-off-by: Cholerae Hu --- en/namespaces/compatibility-list.md | 68 +++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 en/namespaces/compatibility-list.md diff --git a/en/namespaces/compatibility-list.md b/en/namespaces/compatibility-list.md new file mode 100644 index 0000000..a6ea37a --- /dev/null +++ b/en/namespaces/compatibility-list.md @@ -0,0 +1,68 @@ +# Namespaces compatibility list + +This document contains the information about the problems user + +may have when creating tasks living in different namespaces. + + + +Here's the summary. This matrix shows the known problems, that + +occur when tasks share some namespace (the columns) while living + +in different other namespaces (the rows): + X |UTS | IPC | VFS | PID | User | Net +----|----|-----|-----|-----|------|----- +UTS | X | | | | | +IPC | | X | 1 | | | +VFS | | | X | | | +PID | | 1 | 1 | X | | +User| | 2 | 2 | | X | +Net | | | | | | X + + + +1. Both the IPC and the PID namespaces provide IDs to address + + object inside the kernel. E.g. semaphore with IPCID or + + process group with pid. + + + + In both cases, tasks shouldn't try exposing this ID to some + + other task living in a different namespace via a shared filesystem + + or IPC shmem/message. The fact is that this ID is only valid + + within the namespace it was obtained in and may refer to some + + other object in another namespace. + + + +2. Intentionally, two equal user IDs in different user namespaces + + should not be equal from the VFS point of view. In other + + words, user 10 in one user namespace shouldn't have the same + + access permissions to files, belonging to user 10 in another + + namespace. + + + + The same is true for the IPC namespaces being shared - two users + + from different user namespaces should not access the same IPC objects + + even having equal UIDs. + + + + But currently this is not so. + + + From 7d9f7ba82e98b0d50eb9c860c36c8ee706855d65 Mon Sep 17 00:00:00 2001 From: Cholerae Hu Date: Wed, 18 Nov 2015 12:45:23 +0800 Subject: [PATCH 2/4] add a englist version for compasion Signed-off-by: Cholerae Hu --- zh-cn/namespaces/compatibility-list.md | 68 ++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 zh-cn/namespaces/compatibility-list.md diff --git a/zh-cn/namespaces/compatibility-list.md b/zh-cn/namespaces/compatibility-list.md new file mode 100644 index 0000000..a6ea37a --- /dev/null +++ b/zh-cn/namespaces/compatibility-list.md @@ -0,0 +1,68 @@ +# Namespaces compatibility list + +This document contains the information about the problems user + +may have when creating tasks living in different namespaces. + + + +Here's the summary. This matrix shows the known problems, that + +occur when tasks share some namespace (the columns) while living + +in different other namespaces (the rows): + X |UTS | IPC | VFS | PID | User | Net +----|----|-----|-----|-----|------|----- +UTS | X | | | | | +IPC | | X | 1 | | | +VFS | | | X | | | +PID | | 1 | 1 | X | | +User| | 2 | 2 | | X | +Net | | | | | | X + + + +1. Both the IPC and the PID namespaces provide IDs to address + + object inside the kernel. E.g. semaphore with IPCID or + + process group with pid. + + + + In both cases, tasks shouldn't try exposing this ID to some + + other task living in a different namespace via a shared filesystem + + or IPC shmem/message. The fact is that this ID is only valid + + within the namespace it was obtained in and may refer to some + + other object in another namespace. + + + +2. Intentionally, two equal user IDs in different user namespaces + + should not be equal from the VFS point of view. In other + + words, user 10 in one user namespace shouldn't have the same + + access permissions to files, belonging to user 10 in another + + namespace. + + + + The same is true for the IPC namespaces being shared - two users + + from different user namespaces should not access the same IPC objects + + even having equal UIDs. + + + + But currently this is not so. + + + From bf881f8f8655dfe6a439b8fc48c1f0c81d5353de Mon Sep 17 00:00:00 2001 From: Cholerae Hu Date: Wed, 18 Nov 2015 12:46:01 +0800 Subject: [PATCH 3/4] replace the english version by the Chinese version Signed-off-by: Cholerae Hu --- zh-cn/namespaces/compatibility-list.md | 62 ++++++-------------------- 1 file changed, 13 insertions(+), 49 deletions(-) diff --git a/zh-cn/namespaces/compatibility-list.md b/zh-cn/namespaces/compatibility-list.md index a6ea37a..151fb91 100644 --- a/zh-cn/namespaces/compatibility-list.md +++ b/zh-cn/namespaces/compatibility-list.md @@ -1,16 +1,14 @@ -# Namespaces compatibility list +> 原文: Documentation/namespaces/compatibility-list.txt +> +> 翻译: [@choleraehyq](https://github.com/choleraehyq) +> +> 校订: []() +# 命名空间兼容性列表 -This document contains the information about the problems user +这个文档包含了用户在创建跨命名空间的任务时可能出现的问题相关的信息。 -may have when creating tasks living in different namespaces. +这有一个概要。这张 matrix 展示了一些已知的问题,当任务本身处于某种命名空间(横行)而需要共享另一种命名空间(竖列)时会出现。 - - -Here's the summary. This matrix shows the known problems, that - -occur when tasks share some namespace (the columns) while living - -in different other namespaces (the rows): X |UTS | IPC | VFS | PID | User | Net ----|----|-----|-----|-----|------|----- UTS | X | | | | | @@ -20,49 +18,15 @@ PID | | 1 | 1 | X | | User| | 2 | 2 | | X | Net | | | | | | X +1. IPC 和 PID 命名空间都会提供用于索引内核中对象的 ID 。 例如信号量的 IPCID 和 进程组的 pid。 +在这两种情况下,任务不应当将这个 ID 通过共享文件系统或者进程间共享内存、消息队列暴露给处于其他不同命名空间中的任务。 事实上,这个 ID 只在获得它的那个命名空间中有效,在其他命名空间中它可能指向另一个不同的对象。 -1. Both the IPC and the PID namespaces provide IDs to address - - object inside the kernel. E.g. semaphore with IPCID or - - process group with pid. - - - - In both cases, tasks shouldn't try exposing this ID to some - - other task living in a different namespace via a shared filesystem - - or IPC shmem/message. The fact is that this ID is only valid - - within the namespace it was obtained in and may refer to some - - other object in another namespace. - - - -2. Intentionally, two equal user IDs in different user namespaces - - should not be equal from the VFS point of view. In other - - words, user 10 in one user namespace shouldn't have the same - - access permissions to files, belonging to user 10 in another - - namespace. - - - - The same is true for the IPC namespaces being shared - two users - - from different user namespaces should not access the same IPC objects - - even having equal UIDs. - +2. 特别地,从 VFS 的角度看,在不同用户命名空间中,两个相同的用户 ID 不应该有同等权限。换句话来说,假设有一些文件属于某一个用户命名空间中的用户10,那么另一个用户命名空间中的用户10对这些文件不应当与前者具有相同的权限。 +对于用户命名空间之间共享的 IPC 也是同样的道理。两个不同用户命名空间的用户不应当能够同时访问同一个 IPC 对象,即使他们有着相同的 UID 。 - But currently this is not so. +但是目前内核还没有做到这些。 From d20896f64dcd4d9668b926a2feb58176051e032f Mon Sep 17 00:00:00 2001 From: Cholerae Hu Date: Wed, 18 Nov 2015 12:47:27 +0800 Subject: [PATCH 4/4] little fix Signed-off-by: Cholerae Hu --- zh-cn/namespaces/compatibility-list.md | 1 + 1 file changed, 1 insertion(+) diff --git a/zh-cn/namespaces/compatibility-list.md b/zh-cn/namespaces/compatibility-list.md index 151fb91..44bb2b5 100644 --- a/zh-cn/namespaces/compatibility-list.md +++ b/zh-cn/namespaces/compatibility-list.md @@ -3,6 +3,7 @@ > 翻译: [@choleraehyq](https://github.com/choleraehyq) > > 校订: []() + # 命名空间兼容性列表 这个文档包含了用户在创建跨命名空间的任务时可能出现的问题相关的信息。