From: "H. Peter Anvin" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
To: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Cc: kyle-hoO6YkzgTuCM0SS3m2neIg@public.gmane.org,
"David C. Hansen"
<haveblue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>,
bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org,
alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org,
xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org
Subject: Re: [PATCH 0/9] Multiple devpts instances
Date: Thu, 19 Feb 2009 14:46:37 -0800 [thread overview]
Message-ID: <499DE14D.9050503@zytor.com> (raw)
In-Reply-To: <499DE06E.4030108-GANU6spQydw@public.gmane.org>
Daniel Lezcano wrote:
>
> But if I am able to create a new instance of devpts for a container and
> modify the configuration of another devpts from this container, is it
> acceptable ? Can we convince people to use the containers for security
> and have anybody able to make a pty starvation from one container to
> another ?
> If it is too much complicated to handle one value per new devpts
> instance, IMHO /proc/sys/kernel/pty/max should be, at least, read-only
> for the new instance, no ?
>
First of all, there is no such thing... the devpts instance is simply
another filesystem, whereas the /proc/sys entry is a global limit on the
total number of ptys in the system. Again, one of thousands, and yes,
they probably should ALL be readonly in a container environment. That
has to be set up separately than the devpts filesystem, because the
devpts filesystem is not tied to procfs or even containers in any way.
-hpa
next prev parent reply other threads:[~2009-02-19 22:46 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-15 5:30 [PATCH 0/9] Multiple devpts instances sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
[not found] ` <20081015053000.GA2039-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-15 5:33 ` [PATCH 1/9] Remove devpts_root global sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:33 ` [PATCH 2/9] Per-mount allocated_ptys sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:34 ` [PATCH 3/9] Per-mount 'config' object sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:35 ` [PATCH 4/9] Extract option parsing to new function sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:35 ` [PATCH 5/9] Add DEVPTS_MULTIPLE_INSTANCES config token sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:36 ` [PATCH 6/9] Define mknod_ptmx() sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:37 ` [PATCH 7/9] Define get_init_pts_sb() sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:37 ` [PATCH 8/9] Enable multiple instances of devpts sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
2008-10-15 5:38 ` [PATCH 9/9] Document usage of multiple-instances " sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
[not found] ` <20081015053800.GI2215-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-15 18:57 ` Serge E. Hallyn
[not found] ` <20081015185722.GA30005-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-10-15 19:03 ` H. Peter Anvin
[not found] ` <48F63E76.3030907-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2008-10-15 19:48 ` Serge E. Hallyn
2008-10-16 15:19 ` [PATCH 0/9] Multiple devpts instances Serge E. Hallyn
2009-02-19 15:43 ` Daniel Lezcano
[not found] ` <499D7E13.10601-GANU6spQydw@public.gmane.org>
2009-02-19 17:32 ` H. Peter Anvin
[not found] ` <499D97B1.1090902-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-02-19 18:09 ` Daniel Lezcano
[not found] ` <499DA069.3040603-GANU6spQydw@public.gmane.org>
2009-02-19 19:58 ` H. Peter Anvin
[not found] ` <499DB9DA.2070301-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-02-19 22:28 ` Eric W. Biederman
[not found] ` <m1vdr6xdqv.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-20 4:22 ` H. Peter Anvin
2009-02-19 22:42 ` Daniel Lezcano
[not found] ` <499DE06E.4030108-GANU6spQydw@public.gmane.org>
2009-02-19 22:46 ` H. Peter Anvin [this message]
2009-02-19 23:59 ` Eric W. Biederman
[not found] ` <m1eixuvv00.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-02-23 20:56 ` Serge E. Hallyn
[not found] ` <20090223205609.GA32351-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-02-23 21:18 ` H. Peter Anvin
[not found] ` <49A31299.8040501-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-02-23 22:27 ` Serge E. Hallyn
2009-02-24 4:09 ` Eric W. Biederman
2009-02-23 21:19 ` Daniel Lezcano
[not found] ` <49A312E6.9090900-GANU6spQydw@public.gmane.org>
2009-02-23 21:23 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499DE14D.9050503@zytor.com \
--to=hpa-ymnouzjc4hwavxtiumwx3w@public.gmane.org \
--cc=alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=bastian-yyjItF7Rl6lg9hUCZPvPmw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=daniel.lezcano-GANU6spQydw@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=haveblue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=kyle-hoO6YkzgTuCM0SS3m2neIg@public.gmane.org \
--cc=sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.