| Pavel Emelyanov | 2868f89 | 2007-11-28 16:21:39 -0800 | [diff] [blame] | 1 | Namespaces compatibility list |
| 2 | |
| 3 | This document contains the information about the problems user |
| 4 | may have when creating tasks living in different namespaces. |
| 5 | |
| 6 | Here's the summary. This matrix shows the known problems, that |
| 7 | occur when tasks share some namespace (the columns) while living |
| 8 | in different other namespaces (the rows): |
| 9 | |
| 10 | UTS IPC VFS PID User Net |
| 11 | UTS X |
| 12 | IPC X 1 |
| 13 | VFS X |
| 14 | PID 1 1 X |
| 15 | User 2 2 X |
| 16 | Net X |
| 17 | |
| 18 | 1. Both the IPC and the PID namespaces provide IDs to address |
| 19 | object inside the kernel. E.g. semaphore with IPCID or |
| 20 | process group with pid. |
| 21 | |
| 22 | In both cases, tasks shouldn't try exposing this ID to some |
| 23 | other task living in a different namespace via a shared filesystem |
| 24 | or IPC shmem/message. The fact is that this ID is only valid |
| 25 | within the namespace it was obtained in and may refer to some |
| 26 | other object in another namespace. |
| 27 | |
| 28 | 2. Intentionally, two equal user IDs in different user namespaces |
| 29 | should not be equal from the VFS point of view. In other |
| 30 | words, user 10 in one user namespace shouldn't have the same |
| 31 | access permissions to files, belonging to user 10 in another |
| 32 | namespace. |
| 33 | |
| 34 | The same is true for the IPC namespaces being shared - two users |
| 35 | from different user namespaces should not access the same IPC objects |
| 36 | even having equal UIDs. |
| 37 | |
| 38 | But currently this is not so. |
| 39 | |