Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754402AbZLQTxc (ORCPT ); Thu, 17 Dec 2009 14:53:32 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754075AbZLQTx0 (ORCPT ); Thu, 17 Dec 2009 14:53:26 -0500 Received: from mail-ew0-f219.google.com ([209.85.219.219]:60890 "EHLO mail-ew0-f219.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751131AbZLQTxX (ORCPT ); Thu, 17 Dec 2009 14:53:23 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=Jt45vy3x3O6/BoRjB7Wpnwxf6GkX03Cky9lGFCXQjn++Gkz3XS7dLTHBILFNQ/zTMH msZ3btyJHUz7LeE9BIkXIBwqP+OUqF+PIPReiTHn7juh4GfNS6jK6xjRPTycCs0LVXoD YiqPEEhz36F7B9gT9S75aCLNoicFlqrg0OF8w= MIME-Version: 1.0 In-Reply-To: <1261078517.4073.32.camel@giskard.codewiz.org> References: <20091213142149.GB4777@heat> <3e8340490912171024n2120e88q569c69fe7d09140f@mail.gmail.com> <1261078517.4073.32.camel@giskard.codewiz.org> From: Bryan Donlan Date: Thu, 17 Dec 2009 14:53:00 -0500 Message-ID: <3e8340490912171153s56e966d6lb76041fefc52e735@mail.gmail.com> Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. To: Bernie Innocenti Cc: Mark Seaborn , Michael Stone , "Eric W. Biederman" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , =?ISO-8859-1?Q?R=E9mi_Denis=2DCourmont?= , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Linux Containers Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1129 Lines: 21 On Thu, Dec 17, 2009 at 2:35 PM, Bernie Innocenti wrote: > On Thu, 2009-12-17 at 13:24 -0500, Bryan Donlan wrote: >> Can this be done using openat() and friends currently? It would seem >> the natural way to implement this; open /proc/(pid)/root, then >> openat() things from there (or even chdir to it and see the mounts >> that it sees from there...) > > Yeah, but /proc//root is just a symlink. It's correct for chroots, > but I doubt it can be meaningful for per-process namespaces. The files in /proc//fs are 'just symlinks', but opening them can provide access to objects (eg, deleted files) not accessible through the normal filesystem namespace. I see no reason, API-wise, why /proc//root couldn't be extended similarly - but I've not looked at the namespaces implementation, so maybe there's some reason it'd be difficult to implement... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/