On Tue, Oct 08, 2019 at 03:36:37PM +0200, Christian Kellner wrote: > From: Christian Kellner <[email protected]> > > The fdinfo file for a process file descriptor already contains the > pid of the process in the callers namespaces. Additionally, if pid > namespaces are configured, show the process ids of the process in > all nested namespaces in the same format as in the procfs status > file, i.e. "NSPid:\t%d\%d...". This allows the easy identification > of the processes in nested namespaces. > > Signed-off-by: Christian Kellner <[email protected]>
Yeah, makes sense to me. Note that if you send the pidfd to a sibling pid namespace NSpid won't show you anything useful. But that's what I'd expect security wise. You should only be able to snoop on descendant pid namespaces. Please add a test for this to verify that this all works correctly and then resend. The tests live in tools/testing/selftests/pidfd/ and should already have most of the infrastructure there. The fdinfo parsing code should be in samples/pidfd/ which For the patch itself: Reviewed-by: Christian Brauner <[email protected]> You can resend with my Reviewed-by retained if you don't change anything. Before I see tests I'll hold off on merging this. ;) Thanks! Christian
