Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936431AbZLQSZV (ORCPT ); Thu, 17 Dec 2009 13:25:21 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S935588AbZLQSZP (ORCPT ); Thu, 17 Dec 2009 13:25:15 -0500 Received: from ey-out-2122.google.com ([74.125.78.24]:5530 "EHLO ey-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935516AbZLQSZM (ORCPT ); Thu, 17 Dec 2009 13:25:12 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=T26ywqb8whtrFitny23sU+ee4m1Yv8qlvq1cKQ7fl30EyfAM0XsdRV61hmkDZXsvY+ thwboywbu38MtHut5OO5NEovAKnlsFJC+CqrktvYGNw4/FKejZjzM6nTBys+muT3ZWeY i01Pnz/AbVMFYfj3JwXrPAX3gnmw2xil/iIp8= MIME-Version: 1.0 In-Reply-To: References: <20091213142149.GB4777@heat> From: Bryan Donlan Date: Thu, 17 Dec 2009 13:24:50 -0500 Message-ID: <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. To: Mark Seaborn Cc: Michael Stone , "Eric W. Biederman" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , =?ISO-8859-1?Q?R=E9mi_Denis=2DCourmont?= , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Bernie Innocenti , Linux Containers Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 790 Lines: 16 On Thu, Dec 17, 2009 at 12:31 PM, Mark Seaborn wrote: > Maybe we could fix (b) by making mount namespaces into first class objects > that can be named through a file descriptor, so that one process can > manipulate another process's namespace without itself being subject to the > namespace. Can this be done using openat() and friends currently? It would seem the natural way to implement this; open /proc/(pid)/root, then openat() things from there (or even chdir to it and see the mounts that it sees from there...) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/