On Fri, Dec 10, 2010 at 06:06:47PM +0000, Richard W.M. Jones wrote: > On Fri, Dec 10, 2010 at 03:06:59PM +0000, Daniel P. Berrange wrote: > > The theory is as follows though > > > > 1. clone() with the CLONE_NEWNS set > [...] > > There are various other CLONE flags that lock down more > > things if desired, eg to hide all host network interfaces. > > I don't think CLONE_* can stop them creating a /dev/hda-equivalent > device node and then editing files on your real hard disk. That's what the cgroups device ACL I mentioned is for. You set it up to only allow /dev/null, /dev/zero & similar nodes. Daniel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
