Unverified Commit 3ab378cf authored by Christian Brauner's avatar Christian Brauner
Browse files

Merge patch series "ns: support file handles" 

Christian Brauner <brauner@kernel.org> says:

For a while now we have supported file handles for pidfds. This has
proven to be very useful.

Extend the concept to cover namespaces as well. After this patchset it
is possible to encode and decode namespace file handles using the
commong name_to_handle_at() and open_by_handle_at() apis.

Namespaces file descriptors can already be derived from pidfds which
means they aren't subject to overmount protection bugs. IOW, it's
irrelevant if the caller would not have access to an appropriate
/proc/<pid>/ns/ directory as they could always just derive the namespace
based on a pidfd already.

It has the same advantage as pidfds. It's possible to reliably and for
the lifetime of the system refer to a namespace without pinning any
resources and to compare them.

Permission checking is kept simple. If the caller is located in the
namespace the file handle refers to they are able to open it otherwise
they must hold privilege over the owning namespace of the relevant
namespace.

Both the network namespace and the mount namespace already have an
associated cookie that isn't recycled and is fully exposed to userspace.
Move this into ns_common and use the same id space for all namespaces so
they can trivially and reliably be compared.

There's more coming based on the iterator infrastructure but the series
is large enough and focuses on file handles.

Extensive selftests included.

* patches from https://lore.kernel.org/20250912-work-namespace-v2-0-1a247645cef5@kernel.org

: (33 commits)
  selftests/namespaces: add file handle selftests
  selftests/namespaces: add identifier selftests
  tools: update nsfs.h uapi header
  nsfs: add missing id retrieval support
  nsfs: support exhaustive file handles
  nsfs: support file handles
  nsfs: add current_in_namespace()
  ns: add to_<type>_ns() to respective headers
  uts: support ns lookup
  user: support ns lookup
  time: support ns lookup
  pid: support ns lookup
  net: support ns lookup
  ipc: support ns lookup
  cgroup: support ns lookup
  mnt: support ns lookup
  nstree: make iterator generic
  ns: remove ns_alloc_inum()
  uts: use ns_common_init()
  user: use ns_common_init()
  ...

Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parents 8f5ae30d 28ef38a9

.mailmap

+2 −0
Original line number Diff line number Diff line
@@ -226,6 +226,8 @@ Domen Puncer <domen@coderock.org> 
Douglas Gilbert <dougg@torque.net>

Drew Fustini <fustini@kernel.org> <drew@pdp7.com>

<duje@dujemihanovic.xyz> <duje.mihanovic@skole.hr>

Easwar Hariharan <easwar.hariharan@linux.microsoft.com> <easwar.hariharan@intel.com>

Easwar Hariharan <easwar.hariharan@linux.microsoft.com> <eahariha@linux.microsoft.com>

Ed L. Cashin <ecashin@coraid.com>

Elliot Berman <quic_eberman@quicinc.com> <eberman@codeaurora.org>

Enric Balletbo i Serra <eballetbo@kernel.org> <enric.balletbo@collabora.com>

CREDITS

+7 −0
Original line number Diff line number Diff line
@@ -3222,6 +3222,10 @@ D: AIC5800 IEEE 1394, RAW I/O on 1394 
D: Starter of Linux1394 effort

S: ask per mail for current address



N: Boris Pismenny

E: borisp@mellanox.com

D: Kernel TLS implementation and offload support.



N: Nicolas Pitre

E: nico@fluxnic.net

D: StrongARM SA1100 support integrator & hacker
@@ -4168,6 +4172,9 @@ S: 1513 Brewster Dr. 
S: Carrollton, TX 75010

S: USA



N: Dave Watson

D: Kernel TLS implementation.



N: Tim Waugh

E: tim@cyberelk.net

D: Co-architect of the parallel-port sharing system

Documentation/ABI/stable/sysfs-block

+1 −1
Original line number Diff line number Diff line
@@ -731,7 +731,7 @@ Contact: linux-block@vger.kernel.org 
Description:

		[RW] If the device is registered for writeback throttling, then

		this file shows the target minimum read latency. If this latency

		is exceeded in a given window of time (see wb_window_usec), then

		is exceeded in a given window of time (see curr_win_nsec), then

		the writeback throttling will start scaling back writes. Writing

		a value of '0' to this file disables the feature. Writing a

		value of '-1' to this file resets the value to the default

Documentation/admin-guide/blockdev/zoned_loop.rst

+1 −1
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ zone_capacity_mb Device zone capacity (must always be equal to or lower than 
                   the zone size. Default: zone size.

conv_zones         Total number of conventioanl zones starting from sector 0.

                   Default: 8.

base_dir           Path to the base directoy where to create the directory

base_dir           Path to the base directory where to create the directory

                   containing the zone files of the device.

                   Default=/var/local/zloop.

                   The device directory containing the zone files is always

Documentation/admin-guide/cgroup-v2.rst

+2 −2
Original line number Diff line number Diff line
@@ -435,8 +435,8 @@ both cgroups. 
Controlling Controllers

-----------------------



Availablity

~~~~~~~~~~~

Availability

~~~~~~~~~~~~



A controller is available in a cgroup when it is supported by the kernel (i.e.,

compiled in, not disabled and not attached to a v1 hierarchy) and listed in the