On Wed, 2008-10-15 at 08:17 -0400, erik quanstrom wrote: > > > ; mntgen a > > > ; bind /env a/env > > > ; bind /bin a/bin > > > ; bind /proc a/proc > > > ; bind a / > > > ; ns > > > > > > consider it a security feature. > > > > Be it as it may, I still can't quite follow why *manual* pruning > > of the entries from the namespace would be forbidden. unmount(2) > > takes two strings as arguments, right? It doesn't even need an fd. > > because they're not visible. you have to access > it in order to unmount it.
I see what you meant now. For some reason, I constantly assume that namespace is sort of a substitution table that helps you walk(5) across the bind/mount points. But it is not. Is there a simple reason for mandating access to the target of the bind? Or here's an easier way to ask the same: is there a simple reason for $ bind /foo /really/nested/bar always triggering walks into /foo and /really/nested/bar and not allowing for "lazy evaluation"? Thanks, Roman.
