James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> writes: > On July 8, 2016 1:38:19 PM PDT, Andrew Vagin <avagin@xxxxxxxxxxxxx> wrote: >>What do you think about the idea to mount nsfs and be able to look up >>any alive namespace by inum: > > I think I like it. It will give us a way to enter any extant > namespace. It will work for Eric's fs namespaces as well. Perhaps a > /process/ns/<inum> Directory? *Shivers* That makes it very easy to bypass any existing controls that exist for getting at namespaces. It is true that everything of that kind is directory based but still. Plus I think it would serve as information leak to information outside of the container. An operation to get a user namespace file descriptor from some kernel object sounds reasonably sane. A great big list of things sounds about as scary as it can get. This is not the time to be making it easier to escape from containers. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
