Quoting Janne Karhunen (janne.karhunen@xxxxxxxxx): > On Tue, May 7, 2013 at 9:38 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > > So far it appears that we don't need a device namespace. As for most > > things the usual DAC permissions apply. > > Serge, please note ;) ? Here are some possibilities regarding devices: 1. ptys are already namespaced in their own way 2. loop is not namespaced, but easily could be. The question is how to trigger a new namespace for them. Maybe a loopfs with newinstance option :) 3. c 4 1 (/dev/tty1). Right now containers handle this purely through obfuscation at the filename level, symlinking /dev/tty1 to a pty. We could namespace tasks at a tty level, so that c 4 1 either points to a provided open fd, or to nothing, in the new namespace. 4. Video cards could be handled by introducing virtual devices to replace the physical ones, OR they could be handled by passing the physical video card to a different X namespace (X being user, device, or something else). Both have in the past been mentioned by Eric, and they're not mutually exclusive. So, I object to a blanket "this capability changes the meaning of all your other capabilities with respect to the hardware." However, perhaps we could do something like "pass this device to that user namespace, so that any capabilities he has toward his user namespace will be allowed against that device." > > The exceptions that I am aware of where we need something extra are > > cases where the device abstraction is simply insufficient and needs > > to be improved. > > > > You can pass real network devices between network namespaces. > > Have you considered passing things like frame buffer, input subsystem > and/or modem(s)? We have, but I'm not sure we've discussed (though I'm sure we've all thought about) just passing straight to a user namespace. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
