[Devel] Re: [RFC] ns containers (v2): namespace entering

Serge E. Hallyn serue at us.ibm.com
Wed Feb 21 13:04:01 PST 2007


Quoting Eric W. Biederman (ebiederm at xmission.com):
> "Serge E. Hallyn" <serue at us.ibm.com> writes:
> 
> > Quoting Eric W. Biederman (ebiederm at xmission.com):
> >> 
> >> You miss an issue here.  One of the dangers of enter is leaking
> >> capabilities into a contained set of processes.   Once you show up in
> >
> > Good point.  As wrong as it feels to me to use ptrace for this, the
> > advantage is that none of my task attributes leak into the target
> > namespace, and that's a very good thing.
> >
> > I do wonder how you specify what the forced clone should run.
> > Presumably you want to run something not in the target container.
> > I suppose we can pass the fd over a socket or something.
> 
> Yes.  At least in the case without a network namespace I can setup
> a unix domain socket and pass file descriptors around.  I think my solution
> to the network namespace case was to just setup a unix domain socket in
> the parent namespace and leave it open in init.  Not a real solution :(

How about we solve both this and the general ugliness of using ptrace
with a new

	hijack_and_clone(struct task_struct *tsk, int fd)

Which takes tsk, clones it, and execs the contents of fd?

-serge
_______________________________________________
Containers mailing list
Containers at lists.osdl.org
https://lists.osdl.org/mailman/listinfo/containers




More information about the Devel mailing list