To: linuxram@us.ibm.com
CC: viro@ftp.linux.org.uk, torvalds@osdl.org, linux-kernel@vger.kernel.org,
       linux-fsdevel@vger.kernel.org
In-reply-to: <1131439567.5400.221.camel@localhost> (message from Ram Pai on
	Tue, 08 Nov 2005 00:46:07 -0800)
Subject: Re: [PATCH 2/18] cleanups and bug fix in do_loopback()
References: <E1EZInj-0001Ef-9Z@ZenIV.linux.org.uk>
	 <E1EZNRz-0007EM-00@dorka.pomaz.szeredi.hu> <1131439567.5400.221.camel@localhost>
Message-Id: <E1EZPm4-0007R7-00@dorka.pomaz.szeredi.hu>
From: Miklos Szeredi <miklos@szeredi.hu>
Date: Tue, 08 Nov 2005 10:28:16 +0100
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1092
Lines: 25

> > I see no other reason for wanting to prevent binds from detached
> > mounts or other namespaces.  It has been discussed that it would be a
> > good _controlled_ way to send/receive mounts from other namespace
> > without adding any complexity.
> 
> AFAICT, the ability to bind across namespaces defeats the private-ness
> property of per-process-namespaces. 

No.  The privateness is guaranteed by proc_check_root(), which is
similar, but not the same as check_mnt(), and wich restrict _access_
to other namespaces.

check_mnt() restricts operations on other namespaces if you _already_
have access to said namespace.  For example via a file descriptor sent
between two processes in different namespaces.

Also with ptrace() you can still access other process's namespace, so
proc_check_root() is also too strict (or ptrace() too lax).

Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/