On Fri, Mar 27, 2009 at 10:57:07AM +0100, Sebastien Bonnegent wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Herbert Poetzl a écrit :
> > On Thu, Mar 26, 2009 at 02:36:09PM +0100, Sebastien Bonnegent wrote:
> > This lines is generated by the command "vps ax" on master.
> >
> >> usually those lines are generated by pts/ptys which
> >> were 'brought' into a context via 'enter' or 'exec'
> >> if you get those messages without entering a guest,
> >> I'm quite interested in a reproduceable setup.
>
> I do only a "vps ax" on the master, so without 'exec' or 'enter'. If I enable
> "CONFIG_VSERVER_PRIVACY", this command always generate lines below:
> [ 3062.859858] vxW: [»ps«,22083:#1|0|0] did lookup hidden devpts:f5689a40[#0,2] »/dev/pts«.
> [ 3363.185658] vxW: [»ps«,22348:#1|0|0] did lookup hidden devpts:f5689a40[#0,2] »/dev/pts«.
> [ 3662.571683] vxW: [»ps«,22627:#1|0|0] did lookup hidden devpts:f5689a40[#0,2] »/dev/pts«.
> [ 3962.682085] vxW: [»ps«,3483:#1|0|0] did lookup hidden devpts:f5689a40[#0,2] »/dev/pts«.
> [ 4262.661764] vxW: [»ps«,3747:#1|0|0] did lookup hidden devpts:f5689a40[#0,2] »/dev/pts«.
>
> With "CONFIG_VSERVER_PRIVACY" disable, I have no log.
that is expected too, if you want to honor the guests
privacy, the ptys are naturally off limits ...
> > Can I find somewhere the description of
> >
> >> yes, the kernel config contains descriptions for all
> >> the config options, just press '?' to view them
>
> Yes, but descriptions are a bit short :)
patches are welcome :)
> > "CONFIG_VSERVER_PRIVACY" option ?
> >
> >> When enabled, most context checks will disallow
> >> access to structures assigned to a specific context,
> >> like ptys or loop devices.
> >
>
> Thank you.
> With this option master can't access structures of a context, or it
> concern only guests to guests ?
host - guest, guest - guest is protected by default
thus it is called isolation :)
HTC,
Herbert
> > Sebastien Bonnegent wrote:
> >>>> Hi,
> >>>>
> >>>> I have this lines in my syslog:
> >>>>
> >>>> [ 3872.477649] vxW: [???ps???,23026:#1|0|0] did lookup hidden devpts:f55dd500[#0,2] ???/dev/pts???.
> >>>> [ 4172.175854] vxW: [???ps???,23291:#1|0|0] did lookup hidden devpts:f55dd500[#0,2] ???/dev/pts???.
> >>>> [ 4472.844371] vxW: [???ps???,23570:#1|0|0] did lookup hidden devpts:f55dd500[#0,2] ???/dev/pts???.
> >>>>
> >>>> Do you know what is it ?
> >>>>
> >>>> # uname -r
> >>>> 2.6.28.7-vs2.3.0.36.8-090326
> >>>>
> >>>> # grep VSERVER /boot/config-2.6.28.7-vs2.3.0.36.8-090326
> >>>> CONFIG_VSERVER_AUTO_LBACK=y
> >>>> CONFIG_VSERVER_AUTO_SINGLE=y
> >>>> CONFIG_VSERVER_COWBL=y
> >>>> # CONFIG_VSERVER_VTIME is not set
> >>>> # CONFIG_VSERVER_DEVICE is not set
> >>>> CONFIG_VSERVER_PROC_SECURE=y
> >>>> CONFIG_VSERVER_HARDCPU=y
> >>>> CONFIG_VSERVER_IDLETIME=y
> >>>> # CONFIG_VSERVER_IDLELIMIT is not set
> >>>> CONFIG_VSERVER_PRIVACY=y
> >>>> CONFIG_VSERVER_CONTEXTS=256
> >>>> CONFIG_VSERVER_WARN=y
> >>>> # CONFIG_VSERVER_DEBUG is not set
> >>>> CONFIG_VSERVER=y
> >>>> CONFIG_VSERVER_SECURITY=y
> >>>>
> >>>>
>
> - --
> Cordialement - Sébastien Bonnegent
>
> "GNU/Linux, il y a moins bien mais c'est plus cher."
> - ---------------------------------------------------------------------------------------
> | http://www.insa-rouen.fr/institution/organisation/equipe-de-direction/informatique/ |
> - ---------------------------------------------------------------------------------------
> | Ingénieur système et réseau | Tél: 02 32 95 98 61 | GnuPG: 0x669176B0 |
> -------------------------------------------------------------------------
> | https://asi.insa-rouen.fr/asipedia/index.php/GnuPG |
> ------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAknMouwACgkQlMHL02aRdrBHXwCdGc/7l21rjCRnMqrBvHmVgup0
> B1EAn2EeXhgkwC89n3tbrsDh4pl/YFs6
> =NgAa
> -----END PGP SIGNATURE-----
Received on Thu Apr 2 11:48:35 2009