Re: [PATCH] private mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 26 Apr 2005, Bryan Henderson wrote:

> >> Just to be clear, then: this idea is fundamentally different from the 
> >> mkdir/cd analogy the thread starts with above.
> >
> >NACK, it's very similar to the cd "$HOME" (or ulimit calls) done by the
> >login mechanism,
> 
> That's not a NACK.  The cd "$HOME" and ulimit calls done by the login 
> process (more precisely, by a shell profile) are quite different from the 
> mkdir/cd the thread started with.  Who creates a new directory in his 
> shell profile?

I create a directory in /tmp and set $TMP to that directory, because I 
can't just mount a private tmpfs. But that's another topic.

>  I assume the mkdir/cd analogy is a case of a person doing 
> a mkdir and cd in a running shell.  (That is indeed analogous to what one 
> would like to do with a private mount).

ACK, with respect to lifetime and processes affected, it will be exactly
like creating/using a directory in a tmpfs. But as you noticed, you'd need
the shell builtin command to make this analogy complete. That's not going
to happen, but it's not needed for operation.

> When you said "by the login process or by wrappers like nice," in response 
> to my pointing out that setnamespace would need to be a shell builtin 
> command, I assumed you were talking about putting it in the code that 
> execs the shell as opposed to in the shell profile, thus eliminating the 
> need for a shell builtin.

Exactly. You can't patch all login daemons, so you'll need pam to do the
initial setup.

After that, the users may decide to ignore having a private namespace (it
will just DTRT), or they can decide to use that feature to lock in some of
their programs. Obviously pam won't allow private sub-namespaces at random
times, while the general system call would support this, and their shell
won't do that, too. In the same way you'll need a wrapper like "#!/bin/sh
cd $dir&&exec $prog" for doing the initial chdir on behalf of
chdir-ignorant programs, you'll need a wrapper for setnamespace-ignorant
programs. The only difference is that chdir-ignorant programs are rare.

> But the important thing is just to recognize, as you say explicitly now, 
> that setnamespace has to be shell builtin command for 
> setnamespace/mknamespace to be analogous to mkdir/cd.  That was my 
> original statement, if somewhat indirect:

For the analogy yes, for usage no.
-- 
The secret of the universe is #@*%! NO CARRIER 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux