Mark Nelson <markn@xxxxxxxxxxx> writes: > Hi Paul and Eric, > > Do you guys have any objections to dropping the hijack_pid() and > hijack_cgroup() parts of sys_hijack, leaving just hijack_ns() (see > below for discussion)? I need to step back and study what is being proposed. My gut feeling is that you are proposing something that does not support forking me a process inside a container so I can have a shell without having to run a login program. There is a reason I proposed ptrace as an initial prototype. All of the other uses of enter in a namespace context I feel confident we can support by just having proper virtual filesystems available to processes outside of the container. For monitoring and control. Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
