On 01/24/2012 03:04 AM, Kirill A. Shutemov wrote:
On Mon, Jan 23, 2012 at 09:12:19PM +0000, Al Viro wrote:
This is bloody ridiculous; if you want to prevent a luser adming playing with
the set of mounts you've given it, the right way to go is not to mess with the
"which fs types are allowed" but to add a per-namespace "immutable" flag.
And add a new clone(2)/unshare(2) flag, used only along with the CLONE_NEWNS
and setting the "immutable" on the copied namespace.
How will it work if we want to allow namespaced environment to mount block
devices, but not, let say, debugfs?
For the record, that is more or less what I have in mind. But my main
use case is /proc. I guess the case for debugfs is the same.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html