On Fri, May 11, 2018 at 03:58:39PM +0200, Jann Horn wrote: > On Fri, May 11, 2018 at 11:37 AM, Alexey Gladkov > <gladkov.alexey@xxxxxxxxx> wrote: > > This allows to hide all files and directories in the procfs that are not > > related to tasks. > > /proc/$pid/net and /proc/$pid/task/$tid/net aren't in scope for this > protection, even though they contain information about the whole > network namespace of the task, right? Yes. The pidonly makes visible only pids subset. You can still access the process namespaces via /proc/$pid/ns. We can think of additional constraints since the parameters are not stored in the pid namespace anymore. -- Rgrds, legion -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
