On Sun, Dec 13, 2009 at 2:21 PM, Michael Stone <michael@xxxxxxxxxx> wrote: > For comparison, I do use CLONE_NEWNS mount namespaces and they've been a > real > pain because > > a) unlike in Plan 9, they're privileged, > > b) they greatly complicate debugging the isolated app because you see > different things inside and outside the namespace, > > c) there's no good way to manipulate them from userland, and > > d) they're poorly documented outside of the mount man page. > Maybe we could try to fix those problems. The reason chroot() and clone()/CLONE_NEWNS are privileged is that they provide a way to violate the assumptions of setuid/setgid executables. If we add a per-process flag that prevents a process from exec'ing setuid executables, we could allow chroot() and CLONE_NEWNS when that flag is set. That fixes (a). Maybe we could fix (b) by making mount namespaces into first class objects that can be named through a file descriptor, so that one process can manipulate another process's namespace without itself being subject to the namespace. Cheers, Mark _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
