[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170330214523.GA13761@comp-core-i7-2640m-0182e6>
Date: Thu, 30 Mar 2017 23:45:23 +0200
From: Alexey Gladkov <gladkov.alexey@...il.com>
To: Djalal Harouni <tixxdz@...il.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
"Kirill A. Shutemov" <kirill@...temov.name>,
Vasiliy Kulikov <segoon@...nwall.com>,
Al Viro <viro@...iv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Oleg Nesterov <oleg@...hat.com>,
Pavel Emelyanov <xemul@...allels.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"Dmitry V. Levin" <ldv@...linux.org>, Jann Horn <jann@...jh.net>,
Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...nel.org>,
Miklos Szeredi <miklos@...redi.hu>
Subject: Re: [RFC] Add option to mount only a pids subset
On Sun, Mar 26, 2017 at 09:03:33AM +0200, Djalal Harouni wrote:
> (Cc'ed Kees and Jann for the procfs stacking issue)
>
> > I completely agree with you that it looks wrong when options of one
> > mountpoint affect the others mountpoints.
> >
> >> I'm not sure if that's the right approach, it is still buggy, however
> >> seems that your patch also stores the mount option inside the
> >> pid_namespace which may get propagated to all mounts inside same pidns
> >> ?
> >
> > I don't store 'pidonly' option in my current patch. I mean in:
> > https://lkml.org/lkml/2017/3/20/363
> >
> > I parse options twice at first mount of procfs. It happens before
> > the mounting /proc in userspace.
> >
> > I know it's bad, but I couldn't find place to store this option.
>
> Ok, then maybe that approach of having a procfs struct holder instead
> of using pid namespace may help!
I deside to stop doing my patch. I talked with a few people and found out
that the overlayfs doesn't feel very well if on the lower level filesystem
appear/disappear files.
In addition with the pidfs isn't so simple. Separate the root will lead to
a doubling of memory consumption and restrictions on the filesystem operations
level can easily be skipped.
It means that even I can do this pidfs (or pid subset in /proc), it
will be pointless.
--
Rgrds, legion
Powered by blists - more mailing lists