On Wed, 2013-09-04 at 20:49 -0400, Vivek Goyal wrote: > I did what Eric Biederman suggested. I first unshare the mount namespace > of /sbin/kexec from parent. Then I disable any event propogation between > mounts. Then I lazy unmount existing /proc and /sys and remount them. I > think this should make sure that we are seeing at /proc and /sys as > exported by kenrel? Namespaces have mostly been used with the assumption that namespaces contain child processes, rather than parent processes attacking children. Are we guaranteed that (barring ptrace) a parent process is unable to manipulate a child's namespaces? -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
