> None of these questions are any different in this > context than if there was simply some other process > sharing the name space and doing the same manipulations. >
currently one can prevent external changes to a namespace by creating a unique ns with rfork. if /proc/$pid/ns were writable, one would not not be possible without yet another mechanism. - erik