Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965466AbZLQTfe (ORCPT ); Thu, 17 Dec 2009 14:35:34 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S965440AbZLQTfa (ORCPT ); Thu, 17 Dec 2009 14:35:30 -0500 Received: from trinity.develer.com ([83.149.158.210]:48574 "EHLO trinity.develer.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965424AbZLQTf3 (ORCPT ); Thu, 17 Dec 2009 14:35:29 -0500 Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. From: Bernie Innocenti To: Bryan Donlan Cc: Mark Seaborn , Michael Stone , "Eric W. Biederman" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , =?ISO-8859-1?Q?R=E9mi?= Denis-Courmont , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Linux Containers In-Reply-To: <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> References: <20091213142149.GB4777@heat> <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Organization: Sugar Labs - http://www.sugarlabs.org/ Date: Thu, 17 Dec 2009 14:35:17 -0500 Message-ID: <1261078517.4073.32.camel@giskard.codewiz.org> Mime-Version: 1.0 X-Mailer: Evolution 2.29.3 (2.29.3-1.fc13) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1330 Lines: 30 On Thu, 2009-12-17 at 13:24 -0500, Bryan Donlan wrote: > Can this be done using openat() and friends currently? It would seem > the natural way to implement this; open /proc/(pid)/root, then > openat() things from there (or even chdir to it and see the mounts > that it sees from there...) Yeah, but /proc//root is just a symlink. It's correct for chroots, but I doubt it can be meaningful for per-process namespaces. If we were to implement Mark Seaborn's idea of naming namespaces, /proc//rootfd would be a file descriptor providing access to the namespace through some fancy ioctls. Or maybe not. Could such a file-descriptor be used as the source argument to mount(), perhaps along with a new MS_NS flag? Alternatively, perhaps one could come up with a userspace solution: read /proc//mounts and repeat all mounts, perhaps with a prefix. The downsides are that it would require superuser privs and wouldn't automatically stay synchronized with the real namespace. -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/