Amir Goldstein <amir73il@xxxxxxxxx>: > The security oriented users of fanotify are anti-virus on-access > protection engines and those are using mount marks anyway > (dynamically adding them as far as I know). > [cc Marko who may be able to shed some light] (Thanks for the CC; back from vacation.) Yes. > For those products, creating a bind mount inside a new mount ns > may actually escape the on-access policy or the new mount will > also be marked I am not sure. I suppose cloning mount ns may be > prohibited by another LSM or something(?). Not sure I appreciate all dimensions of the problem space, but I don't immediately foresee overwhelming escaping problems. Marko
