Gao feng <gaofeng@xxxxxxxxxxxxxx> writes: > Ok,I agree with you that we should make container security by default. > > What's your idea that introduces option MS_NOT_A_LOCK just like Andy's > advisement? It might be doable but it is unnecessary. > In libvirt, host creates dev and devpts directories for container,then > mount devpts, tmpfs on them and create device nodes inside these dirs > for container. and then in container, these filesystems are moved to > container's /dev/ /dev/pts directory. We really have no need to lock > these mounts. they are just created for container. If the global root creates the namespace and performs all of the mounts it is unnecessary. Now I believe you can create those directories for the most part as non-root in libvirt and gain some interesting applications. That said if you don't want locked mounts you just just be able to create a temporary mount namespace as the global root, and do your prep work. Then create your unprivileged mount namespace and bind mount the directories where you want them, and then pivot_root away the bits you don't want. There is already more mechanism than I like to deal with the mount namespace I would really rather not invent/debug/support any more. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
