From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cedric Le Goater Subject: Re: Namespaces exhausted CLONE_XXX bits problem Date: Tue, 15 Jan 2008 08:53:00 +0100 Message-ID: <478C665C.80106@fr.ibm.com> References: <478B6764.6050300@openvz.org> <478B7549.2020000@fr.ibm.com> <478B76C4.8050804@openvz.org> <478B7DB3.9050702@fr.ibm.com> <20080114163246.GA31663@sergelap.austin.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20080114163246.GA31663-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: Linux Containers , Pavel Emelyanov List-Id: containers.vger.kernel.org Serge E. Hallyn wrote: > Quoting Cedric Le Goater (clg-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org): >> to be more precise : >> >> long sys_clone_something(struct clone_something_args args) >> >> and >> >> long sys_unshare_something(struct unshare_something_args args) >> >> The arg passing will be slower bc of the copy_from_user() but we will >> still have the sys_clone syscall for the fast path. >> >> C. > > I'm fine with the direction you're going, but just as one more option, > we could follow more of the selinux/lsm approach of first requesting > clone/unshare options, then doing the actual clone/unshare. So > something like > > sys_clone_request(extended_64bit_clone_flags) > sys_clone(usual args) > > or > > echo pid,mqueue,user,ipc,uts,net > /proc/self/clone_unshare > clone() For my information, why selinux/lsm chose that 2 steps approach ? What kind of issues are they trying to solve ? Thanks, C.