Quoting Indan Zupancic (indan@xxxxxx): > Hello, > > On Wed, January 9, 2008 05:39, Tetsuo Handa wrote: > > Hello. > > > > Indan Zupancic wrote: > >> I think you focus too much on your way of enforcing filename/attributes > >> pairs. > > So? > > So that you miss alternatives and don't see the bigger picture. These emails again are getting really long, but I think the gist of Indan's suggestion can be concisely summarized: "To confine process P3 to /dev/hda2 being 'b 3 2', create /dev/p3, launch P3 in a new mounts namespace, mount --bind /dev/p3 /dev, exec what you want p3 running, and have MAC prevent umount /dev/p3." This is a neat idea, but Tetsuo's rebutall is "P3 may be legacy code needing to create or delete /dev/floppy, where -EPERM confuses P3 and prevents it working correctly." Indan's idea is interesting and I like it, but is there an answer to Tetsuo's problem with it? thanks, -serge PS - Indan, you also said in essence "if P3 can be trusted to create /dev/floppy why can't it be trusted to create /dev/hda1". I trust that, phrased that way, the question answers itself? - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
