| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 09 Apr 2008 11:01:16 -0700 From: "H. Peter Anvin" <hpa@...or.com> To: sukadev@...ibm.com CC: linux-kernel@...r.kernel.org, Containers <containers@...ts.osdl.org>, Pavel Emelyanov <xemul@...nvz.org>, serue@...ibm.com, clg@...ibm.com Subject: Re: [RFC][PATCH 0/7] Clone PTS namespace sukadev@...ibm.com wrote: > We want to provide isolation between containers, meaning PTYs in container > C1 should not be accessible to processes in C2 (unless C2 is an ancestor). Yes, I certainly can understand the desire for isolation. That wasn't what my question was about. > The other reason for this in the longer term is for checkpoint/restart. > When restarting an application we want to make sure that the PTY indices > it was using is available and isolated. OK, this would be the motivation for index isolation. > A complete device-namespace could solve this, but IIUC, is being planned > in the longer term. We are hoping this would provide the isolation in the > near-term without being too intrusive or impeding the implementation of > the device namespace. I'm just worried about the accumulation of what feels like ad hoc namespaces, causing a very large combination matrix, a lot of which don't make sense. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists