2010/12/10 Matt McCutchen <matt@xxxxxxxxxxxxxxxxx>: > On Fri, 2010-12-10 at 15:06 +0000, Daniel P. Berrange wrote: >> Adding CLONE_NEWPID would be worthwhile to stop the >> mock process seeing any other PIDs on the machine. > > It's critical, or mock could ptrace some process running as root on the > host and inject arbitrary code. Wouldn't a properly set-up LXC container be a better solution here? See http://lxc.sourceforge.net/ . LXC is already packaged for Fedora, and also in RHEL6 iiuc. -- Thomas Moschny <thomas.moschny@xxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
