On Wed, 2008-10-15 at 08:17 -0400, erik quanstrom wrote:
> > >   ; mntgen a
> > >   ; bind /env a/env
> > >   ; bind /bin a/bin
> > >   ; bind /proc a/proc
> > >   ; bind a /
> > >   ; ns
> > > 
> > > consider it a security feature.
> > 
> > Be it as it may, I still can't quite follow why *manual* pruning
> > of the entries from the namespace would be forbidden. unmount(2)
> > takes two strings as arguments, right? It doesn't even need an fd.
> 
> because they're not visible.  you have to access
> it in order to unmount it.

I see what you meant now. For some reason, I constantly assume 
that namespace is sort of a substitution table that helps you
walk(5) across the bind/mount points. But it is not. Is there
a simple reason for mandating access to the target of the bind?

Or here's an easier way to ask the same: is there a simple reason
for 
   $ bind /foo /really/nested/bar
always triggering walks into /foo and /really/nested/bar and not
allowing for "lazy evaluation"? 

Thanks,
Roman.


Reply via email to