From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernie Innocenti Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. Date: Thu, 17 Dec 2009 14:35:17 -0500 Message-ID: <1261078517.4073.32.camel@giskard.codewiz.org> References: <20091213142149.GB4777@heat> <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: Mark Seaborn , Michael Stone , "Eric W. Biederman" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , =?ISO-8859-1?Q?R=E9mi?= Denis-Courmont , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Linux Containers To: Bryan Donlan Return-path: In-Reply-To: <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Thu, 2009-12-17 at 13:24 -0500, Bryan Donlan wrote: > Can this be done using openat() and friends currently? It would seem > the natural way to implement this; open /proc/(pid)/root, then > openat() things from there (or even chdir to it and see the mounts > that it sees from there...) Yeah, but /proc//root is just a symlink. It's correct for chroots, but I doubt it can be meaningful for per-process namespaces. If we were to implement Mark Seaborn's idea of naming namespaces, /proc//rootfd would be a file descriptor providing access to the namespace through some fancy ioctls. Or maybe not. Could such a file-descriptor be used as the source argument to mount(), perhaps along with a new MS_NS flag? Alternatively, perhaps one could come up with a userspace solution: read /proc//mounts and repeat all mounts, perhaps with a prefix. The downsides are that it would require superuser privs and wouldn't automatically stay synchronized with the real namespace. -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/