Bodo Eggert wrote:
> > > > How about a new clone option "CLONE_NOSUID"?
> > >
> > > IMO, the clone call ist the wrong place to create namespaces. It
> > > should be deprecated by a mkdir/chdir-like interface.
> >
> > And the mkdir/chdir interface already exists, see "cd /proc/NNN/root".
>
> If you want persistent namespaces, this will be a PITA (I don't want a
> keep-the-namespace-open-daemon), and if you don't, it will be racy
> (user a logs in, while his second/nth login expires).
>
> Keeping a list of named namespaces in kernel can be made cheap and secure.
Still easy.
To keep persistent named namespaces in /var/namespaces, thus:
# Just once please!
mount -t tmpfs none /var/namespaces
# Make a named namespace.
NSNAME='fred'
mkdir /var/namespaces/$NSNAME
run_in_new_namespace mount -t bind / /var/namespaces/$NSNAME
# Make a named namespace for the _original_ namespace.
mkdir /var/namespaces/initial
mount -t bind / /var/namespaces/initial
# Access the namespace.
ls /var/namespaces/fred
# Enter the namespace.
chroot /var/namespaces/fred
# Delete a named namespace.
NSNAME='fred'
umount /var/namespaces/$NSNAME
rmdir /var/namespaces/$NSNAME
Some of the above will fail due to security checks in fs/namespace.c,
where it tests against current->namespace. Without those checks,
which seem to have no purpose _other_ than preventing the above usage,
I think the above would all work.
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
