On Wed, Jun 3, 2015 at 2:15 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Not allowing programs to clear nosuid, nodev, and noexec on new mounts > of sysfs or proc will cause lxc and libvirt-lxc to fail to start (a > regression). There are no device nodes or executables on sysfs or > proc today which means clearing these flags is harmless today. > > Instead of failing the fresh mounts of sysfs and proc emit a warning > when these flags are improprely cleared. We only reach this point > because lxc and libvirt-lxc clear flags they mount flags had not > intended to. > > In a couple of kernel releases when lxc and libvirt-lxc have been > fixed we can start failing fresh mounts proc and sysfs that clear > nosuid, nodev and noexec. Userspace clearly means to enforce those > attributes and historically they have avoided bugs. At the very least, I think this should be folded in so that the ABI doesn't break in the middle of the series. --Andy _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
