Re: Improve init/Kconfig help descriptions [PATCH 3/9]

[Serge E. Hallyn]

Quoting Pavel Emelyanov (xemul@xxxxxxxxxx):
> Nick Andrew wrote:
> > On Tue, Feb 19, 2008 at 05:42:07PM +0300, Pavel Emelyanov wrote:
> >> Nick Andrew wrote:
> >>> On Wed, Feb 20, 2008 at 01:06:09AM +1100, Nick Andrew wrote:
> >>>> Here is a series of 9 patches to init/Kconfig intended to improve the
> >>>> usefulness and consistency of the help descriptions. The patches are
> >>>> against linux-2.6.24.2.
> >>>> [...]
> >>>> Patch 3
> >>>> 	USER_NS
> >>>> 	PID_NS
> >> What about UTS_NS, IPC_NS and NET_NS? 
> >> Their descriptions can be improved in the same way :)
> > 
> > So far I have edited only init/Kconfig, that's what these 9
> > patches are for. Next I'll do block/Kconfig. Eventually I expect
> > to get to net/Kconfig which is where NET_NS is configured,
> > but I don't know where UTS_NS and IPC_NS come from in 2.6.24.2.
> > 
> > I expect I'll have to start patching against a git tree soon,
> > to be sure to see the latest code. I assume this should be
> > Linus' tree?
> 
> Both UTS_NS and IPC_NS are in init/Kconfg. At least they are
> in 2.6.25-rc2 :)
> 
> > Is there any actual documentation on user namespaces and friends?
> 
> Hardly :(
> 
> > I think I grasp the pid namespaces concept; I am having a little
> > difficulty visualising what function user namespaces performs.
> > "provide different user info" isn't a very useful description and
> > I'd fix it if I understood what it is supposed to mean.
> 
> The pid namespaces are described here: http://lwn.net/Articles/259217/
> 
> > To make a guess at it, how about:
> > 
> >    Enable support for user namespaces.
> > 
> >    This is a function used by container-based virtualisation systems
> >    (e.g. vservers). User namespaces ensures that processes with the
> >    same uid which are in different containers are isolated from each other.
> > 
> >    Answer Y if you require container-based virtualisation like
> >    vservers. If unsure, say N.
> 
> You'd better talk to Serge Hallyn (in Cc) about them. He had some
> thoughts on how to complete them :)

That describes the final intent for user namespaces.  Currently all they
do is provide for separate accounting for the same uid in different user
namespaces.  To provide actual isolation/security, you would currently
want to use an LSM.  I'm currently playing with some selinux policy
infrastructure to make that easier.

So as for the description, for now it should probably read something
like:

    Enable experimental support for user namespaces.
 
    This is a function used by container-based virtualisation systems
    (e.g. vservers). User namespaces are intended to ensure that
    processes with the same uid which are in different containers are
    isolated from each other.

    Currently user namespaces provide separate accounting, while
    isolation must be provided using SELinux or a custom security
    module.
 
    Answer Y if you require container-based virtualisation like
    vservers. If unsure, say N.

> 
> > Nick.

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/