Re: RFC [patch 13/34] PID Virtualization Define new task_pid api

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There areas.
1) Checkpointing.
2) Isolation for security purposes.
   There may be secrets that the sysadmin should not have access to.
I hope you understand, that such things do not make anything secure. Administrator of the node will always have access to /proc/kcore, devices, KERNEL CODE(!) etc. No security from this point of view.

3) Nesting of containers, (so they are general purpose and not special hacks).
Why are you interested in nesting? Any applications for this?
Until everything is virtualized in nesting way (including TCP/IP stack, routing etc.) I see no much use of it.

The vserver way of solving some of these problems is to provide a way
to enter the guest.  I would rather have some explicit operation that puts
you into the guest context so there is a single point where we can tackle
the nested security issues, than to have hundreds of places we have to
look at individually.
Huh, it sounds too easy. Just imagine that VPS owner has deleted ps, top, kill, bash and other tools. You won't be able to enter. Another example when VPS owner is near its resource limits - you won't be able to do anything after VPS entering.
Do you need other examples?

Kirill

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux