[Devel] Re: Network isolation with RLIMIT_NETWORK, cont'd.
Mark Seaborn
mrs at mythic-beasts.com
Thu Dec 17 09:31:23 PST 2009
On Sun, Dec 13, 2009 at 2:21 PM, Michael Stone <michael at laptop.org> wrote:
> For comparison, I do use CLONE_NEWNS mount namespaces and they've been a
> real
> pain because
>
> a) unlike in Plan 9, they're privileged,
>
> b) they greatly complicate debugging the isolated app because you see
> different things inside and outside the namespace,
>
> c) there's no good way to manipulate them from userland, and
>
> d) they're poorly documented outside of the mount man page.
>
Maybe we could try to fix those problems.
The reason chroot() and clone()/CLONE_NEWNS are privileged is that they
provide a way to violate the assumptions of setuid/setgid executables. If
we add a per-process flag that prevents a process from exec'ing setuid
executables, we could allow chroot() and CLONE_NEWNS when that flag is set.
That fixes (a).
Maybe we could fix (b) by making mount namespaces into first class objects
that can be named through a file descriptor, so that one process can
manipulate another process's namespace without itself being subject to the
namespace.
Cheers,
Mark
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list