[Devel] Re: namespaces compatibility list

Cedric Le Goater clg at fr.ibm.com
Wed Nov 7 00:20:58 PST 2007


Pavel Emelyanov wrote:
> Eric W. Biederman wrote:
>> Cedric Le Goater <clg at fr.ibm.com> writes:
>>> right. I think we can address Ulrich concerns first because we have 
>>> a solution for it (which looks like unsharing all namespaces at once,
>>> here comes back the container object story :)
>> It doesn't work because we can't create a fresh mount namespace.
>>
>> We need to create all new mounts (and deny access to the old ones)
>> if we want to prevent all possibility of user space goof ups.
>>
>> While that is easy enough to build an application to do we can't
>> easily enforce that in the kernel.  Currently this is all
>> CAP_SYS_ADMIN so only root can do this anyway.  So we can easily
>> say don't do that then.
>>
>> Clone flag consistency checking should only be used to enforce
>> cases where the kernel side cannot support correctly.  Currently
>> the kernel has no problems with the current mix and match possibilities
>> short of implementation deficiencies.  So I do not see us
>> addressing Ulrich's concerns with clone flags.
> 
> ACK :) Since this all is CAP_SYS_ADMIN-ed we can do with just a warning.

Fine with me. 

Let's come back to the document, then.

C.
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list