Here it is: https://github.com/JehanneOS/jehanne/commit/320e6e6f35bfbc2e37dbd079c8d6a9124bd9ac6c
The simple test attached confirms that it works as expected: https://github.com/JehanneOS/jehanne/blob/master/qa/kern/nsclone.c Now it's just matter of modifying the plumber to use this facility and add a ns/clone command that take a pid and a command to run so that ns/clone 256 rc would start a new rc in a copy of the name space of the process with pid 256. Giacomo 2017-10-24 21:18 GMT+02:00 Giacomo Tesio <[email protected]>: > 2017-10-24 16:21 GMT+02:00 Alex Musolino <[email protected]>: >> Creating a child process is something that a process explicitly >> controls and the RFNOTEG flag of rfork(2) allows a process to control >> whether or not it shares its namespace with its children. Allowing >> other, unrelated processes to fiddle with your namespace is quite >> different. >> >> Think about multiple processes owned by multiple users running on a >> cpu server. Which processes should be allowed to join which >> namespaces? >> >> Perhaps allowing only the hostowner to join namespaces for debugging >> and administration purposes would be acceptable. > > I like this idea a lot. I will give it a try in Jehanne. > > However I'm going to use a slightly different design: writing "clone" > to /proc/$pid/ns will cause the current process to replace its own > name space with a *copy* of that of $pid. > If the owner of $pid is different from that of the current process or > if $pid is not running on the same machine as the current process, the > write will fail with an error. > > However any change to the name space after the clone does not impact > the original process. > > As for the plumber, I will add a message that make the plumber clone > the name space of a target process. > > This should address both use-cases without issues for the processes > running in the original name space. > > > Giacomo
