On Fri, Mar 7, 2014 at 3:51 PM, Lukasz Pawelczyk <havner@xxxxxxxxx> wrote: > > On 7 Mar 2014, at 20:24, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > > > On Fri, 07.03.14 19:45, Lukasz Pawelczyk (havner@xxxxxxxxx) wrote: > > > >> Problem: > >> Has anyone thought about a mechanism to limit/remove an access to a > >> device during an application runtime? Meaning we have an application > >> that has an open file descriptor to some /dev/node and depending on > >> *something* it gains or looses the access to it gracefully (with or > >> without a notification, but without any fatal consequences). > > > > logind can mute input devices as sessions are switched, to enable > > unpriviliged X11 and wayland compositors. > > Would you please elaborate on this? Where is this mechanism? How does it > work without kernel space support? Is there some kernel space support I'm > not aware of? > > >> Example: > >> LXC. Imagine we have 2 separate containers. Both running full operating > >> systems. Specifically with 2 X servers. Both running concurrently of > > > > Well, devices are not namespaced on Linux (with the single exception of > > network devices). An X server needs device access, hence this doesn't > > fly at all. > > > > When you enumerate devices with libudev in a container they will never > > be marked as "initialized" and you do not get any udev hotplug events in > > containers, and you don#t have the host's udev db around, nor would it > > make any sense to you if you had. X11 and friends rely on udev > > however... > > > > Before you think about doing something like this, you need to fix the > > kernel to provide namespaced devices (good luck!) > > Precisly! That's the generic idea. I'm not for implementing it though at > this moment. I just wanted to know whether anybody actually though about it > or maybe someone is interested in starting such a work, etc. > Yes, we have started such a thing. Here is the link to the wiki: https://github.com/Cellrox/devns-patches/wiki [...] Oren. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
