Serge E. Hallyn wrote: > Quoting Casey Schaufler (casey@xxxxxxxxxxxxxxxx): > >> Could y'all bring me up to speed on what this is intended to >> accomplish so that I can understand the Smack implications? >> > It's basically like ptracing a process, forcing it to fork, then having > the child execute a file and continue as your child. It takes part of > its state from the current process (stack etc), some from the hijacked > process (namespaces, keys?), and an lsm can decide for itself whose ->security > should be used for the child process. > That just doesn't gob smack me with the obvious abstract intention of this API :) So it is like I want to run a process inside a name space, but I am not inside that name space, so I highjack one that is in there, force it to fork, and then give me its child. Ugh. Couldn't we just implement "put me in that namespace over there?" AFAIK namespaces don't actually have names, making it hard to implement "put me in namespace Foo", but I view that as a defect of namespaces that should be fixed, rather than hacked around. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin CEO, Mercenary Linux http://mercenarylinux.com/ Itanium. Vista. GPLv3. Complexity at work _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
