<div dir="ltr"><div><font color="#4c1130">> How do you expect to do this, taking into account the fact that strace</font></div><div><font color="#4c1130">>process doesn't normally have CAP_SYS_ADMIN?</font></div><div><div><font color="#4c1130">>Note that stable upstream kernels do not normally accept new features.</font></div><div><font color="#4c1130">>And downstream kernels are also quite hesitant in doing so.</font></div></div><div><font color="#4c1130"><br></font></div><div>Thank you for a reply, I will summarize the previous misunderstandings:</div><div>1. strace does not have CAP_SYS_ADMIN privileges in most cases, and mounting /proc requires root privileges. </div><div>    Therefore, it is not desirable to mount /proc continuously.</div><div>2. The method of adding a system call is difficult to be passed upstream kernel or downstream kernel, so the previous idea is really unrealistic.</div><div><font color="#4c1130"><br></font></div><div><font color="#4c1130"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>There are NSFS_* ioctls present that can be used for (PID) namespace</span><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>tree traversal[3]. Along with inspection of *id fields in</span><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>/proc/<pid>/status, the available information information is sufficient</span><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>for deriving the needed PID in strace's PID NS (having /proc mounted</span><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>with different PID NS quite complicates things but still manageable).</span><br></font></div><div><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><font color="#4c1130"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>[1]<span> </span></span><a href="https://lkml.org/lkml/2018/3/13/1544" rel="noreferrer" target="_blank" style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">https://lkml.org/lkml/2018/3/<wbr>13/1544</a><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>[2]<span> </span></span><a href="https://lkml.org/lkml/2017/10/13/177" rel="noreferrer" target="_blank" style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">https://lkml.org/lkml/2017/10/<wbr>13/177</a><br style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">>[3]<span> </span></span><a href="http://blog.man7.org/2016/12/introspecting-namespace-relationships.html" rel="noreferrer" target="_blank" style="font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">http://blog.man7.org/2016/12/<wbr>introspecting-namespace-<wbr>relationships.html</a></font><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div>Thanks for your excellent documents which include many elegant thoughts.</div><div>I think starting with /proc/[pid]/ns/* is better one after reading over these documents. </div><div>Through reading a lot of articles to understand the structure of the namespace, the operation, and the new features of kernel 4.9 (I only contacted kernel 3.X and 4.1 before, but I'm downloading kernel 4.9), I know a truth that many things that can be used to display PIDs in different namespaces. </div><div><br></div><div>Some of my opinions as follows:</div><div>In this article by Michael Kerrisk (link: <a href="http://blog.man7.org/2016/12/introspecting-namespace-relationships.html">http://blog.man7.org/2016/12/introspecting-namespace-relationships.html</a>), the relationships and features between different namespaces are described.</div><div>Describes one of the important features of linux kernel 4.9: Support for binding a (unmounted) object in the namespace using the file descriptor fd. With this feature, we can check the /proc/[pid]/ns/* files for all processes and build a map which contains all processes in the pid_namespaces and reflects hierarchical pid_namespace, the use of this map can be realized that all processes <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">on the system can </span>discover the PID and user namespace structure hierarchy on a live system.</div><div>Referring to the source code in <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">the article with </span>the Go language <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(link:<span> </span></span><a href="http://blog.man7.org/2016/12/introspecting-namespace-relationships.html" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">http://blog.man7.org/2016/12/introspecting-namespace-relationships.html</a><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">)</span>, I think what I can do at the moment is to use the knowledge from "Introduce to algorithm" and other Data Structures before learning, and use those knowledge to optimize the retrieval process. </div><div>Is there anything wrong with my understanding of those documents? </div><div>Is there any better suggestion?</div><div><br></div><div>BWT, there is another problem I don't how to solve it.<span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> it needs CAP_SYS_ADMIN when system check the contents of <span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>/proc/[pid]/ns/* .</span></span></div><div>that means strace need CAP_SYS_ADMIN <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>privileges </span>still. Is there some better ways to solve this problem?</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-17 14:56 GMT+08:00 Eugene Syromiatnikov <span dir="ltr"><<a href="mailto:esyr@redhat.com" target="_blank">esyr@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sat, Mar 17, 2018 at 10:52:39AM +0800, WeiDeng Lai wrote:<br>
> mounting /proc whenever we enter the new name space.<br>
<br>
</span>How do you expect to do this, taking into account the fact that strace<br>
process doesn't normally have CAP_SYS_ADMIN?<br>
<span class=""><br>
> To complete this requirement,we can make a try to add a<br>
> new kernel API for trans_pid between different pid_namespaces,such as patch<br>
</span>> in link: * <a href="https://lkml.org/lkml/2018/3/6/593" rel="noreferrer" target="_blank">https://lkml.org/lkml/2018/3/<wbr>6/593</a><br>
> <<a href="https://lkml.org/lkml/2018/3/6/593" rel="noreferrer" target="_blank">https://lkml.org/lkml/2018/3/<wbr>6/593</a>> *.<br>
<br>
Note Eric Biederman's comments there[1]. Please also refer to the<br>
discussion related to the previous version of the patch[2]. How do you<br>
expect to address the objections raised there in order to have the API<br>
accepted in the kernel's upstream?<br>
<span class=""><br>
> a few days ago,I talk with my  seniors of community,we have a consistent<br>
> point that add a new kernel API may a good idea,we can apply patch on later<br>
> kernel versions,and modify it so that patch can apply on 3.x to now.If it<br>
> make sense,I'll do this.<br>
<br>
</span>Note that stable upstream kernels do not normally accept new features.<br>
And downstream kernels are also quite hesitant in doing so.<br>
<span class=""><br>
> I don't hatch other methods,can someone provide some information or<br>
> documents for my reference?<br>
<br>
</span>There are NSFS_* ioctls present that can be used for (PID) namespace<br>
tree traversal[3]. Along with inspection of *id fields in<br>
/proc/<pid>/status, the available information information is sufficient<br>
for deriving the needed PID in strace's PID NS (having /proc mounted<br>
with different PID NS quite complicates things but still manageable).<br>
<br>
[1] <a href="https://lkml.org/lkml/2018/3/13/1544" rel="noreferrer" target="_blank">https://lkml.org/lkml/2018/3/<wbr>13/1544</a><br>
[2] <a href="https://lkml.org/lkml/2017/10/13/177" rel="noreferrer" target="_blank">https://lkml.org/lkml/2017/10/<wbr>13/177</a><br>
[3] <a href="http://blog.man7.org/2016/12/introspecting-namespace-relationships.html" rel="noreferrer" target="_blank">http://blog.man7.org/2016/12/<wbr>introspecting-namespace-<wbr>relationships.html</a><br>
<span class="HOEnZb"><font color="#888888">--<br>
Strace-devel mailing list<br>
<a href="mailto:Strace-devel@lists.strace.io">Strace-devel@lists.strace.io</a><br>
<a href="https://lists.strace.io/mailman/listinfo/strace-devel" rel="noreferrer" target="_blank">https://lists.strace.io/<wbr>mailman/listinfo/strace-devel</a><br>
</font></span></blockquote></div><br></div>