Guys,
while replying to Nathaniel's post it dawned on
me that something like this:
open("#c/cons", OWRITE|OCEXEC);
completely breaks the paradigm of namespaces.
IOW, if I wanted to construct a namespace with
a specially crafted server offering /dev/cons,
the above would easily break out of that jail.
In fact, is there *any* way at all to disallow
attaches on kernel devices? The naive method
doesn't seems to work:
term% rfork m
term% cat '#c/pid'
220
Thanks,
Roman.
