This patch opens a way to connect via Unix socket from one namespace to another if these sockets are opened via conventional filesystem interface. Such approach allows to share important services between namespaces in efficient way. This breach is controlled by the means of shared filesystem, i.e. if somebody really wants to isolate containers, he should start from filesystem separation. Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx> --- net/unix/af_unix.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 39d2173..0e1eccd 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -297,9 +297,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i) &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) { struct dentry *dentry = unix_sk(s)->dentry; - if (!net_eq(sock_net(s), net)) - continue; - if(dentry && dentry->d_inode == i) { sock_hold(s); -- 1.5.3.rc5 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers