Daniel Lezcano wrote: > Cedric Le Goater wrote: >> Pavel Emelyanov wrote: >>> Daniel Lezcano wrote: >>>> Pavel Emelyanov wrote: >>>>>> So there are 2 cases: >>>>>> * full isolation : restriction on VPS >>>>>> * partial isolation : no restriction but *perhaps* problem when migrating >>>>>> >>>>>> Looks like we need an option per namespace to reduce the isolation for >>>>>> af_unix sockets :) >>>>>> - on (default): current behaviour => full isolation >>>>>> - off : partial isolation >>>>> You mean some sysctl, that enables/disables this check in unix_find_socket_byinode? >>>> Yes. >>> OK. Den, please, do :) >> hmm, would that allow sibling namespaces to connect to each other ? If so, >> I'm not in favor of such a solution. >> >> I understand the need. we had a similar issue with the command line tool >> pgsl. Could we work something out with the capabilities ? or make an >> exception if your ->nsproxy->net_ns == init_net ? > > Why capabilities is better than a simple sysctl ? because it depends on the current process privilege and not just some random process. > Making an exception for init_net will break the nested containers no ? may be. I don't know how this is implemented. if we break isolation, my feeling is that we should only do it for a parent namespace. It just feel wrong to allow sibling namespaces to connect to each other. C. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers