lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Dec 2009 14:53:00 -0500 From: Bryan Donlan <bdonlan@...il.com> To: Bernie Innocenti <bernie@...ewiz.org> Cc: Mark Seaborn <mrs@...hic-beasts.com>, Michael Stone <michael@...top.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, linux-security-module@...r.kernel.org, Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>, Oliver Hartkopp <socketcan@...tkopp.net>, Alan Cox <alan@...rguk.ukuu.org.uk>, Herbert Xu <herbert@...dor.apana.org.au>, Valdis Kletnieks <Valdis.Kletnieks@...edu>, RĂ©mi Denis-Courmont <rdenis@...phalempin.com>, Evgeniy Polyakov <zbr@...emap.net>, "C. Scott Ananian" <cscott@...ott.net>, James Morris <jmorris@...ei.org>, Linux Containers <containers@...ts.osdl.org> Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. On Thu, Dec 17, 2009 at 2:35 PM, Bernie Innocenti <bernie@...ewiz.org> wrote: > On Thu, 2009-12-17 at 13:24 -0500, Bryan Donlan wrote: >> Can this be done using openat() and friends currently? It would seem >> the natural way to implement this; open /proc/(pid)/root, then >> openat() things from there (or even chdir to it and see the mounts >> that it sees from there...) > > Yeah, but /proc/<pid>/root is just a symlink. It's correct for chroots, > but I doubt it can be meaningful for per-process namespaces. The files in /proc/<pid>/fs are 'just symlinks', but opening them can provide access to objects (eg, deleted files) not accessible through the normal filesystem namespace. I see no reason, API-wise, why /proc/<pid>/root couldn't be extended similarly - but I've not looked at the namespaces implementation, so maybe there's some reason it'd be difficult to implement... -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists