On Mon, 12 May 2014 00:47:17 -0600 Ryan Hill <rh...@gentoo.org> wrote:
> > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and > > kills all of them once phase exits (prevents leaving orphans), > > > > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate > > IPC namespace, preventing them from interfacing other system > > services via IPC (message queues, semaphores, shared memory), > > > > 3. network-sandbox -- puts all processes spawned by ebuild to > > a separate network namespace with a private loopback interface, > > preventing them from interfacing other system services, local > > network and the Internet. > > All three of these require kernel support. It might be a good idea > to add the needed options to that Gentoo Linux menu we have in > gentoo-sources and enable them by default. Right, this skipped my mind when I enabled them yesterday; this should be documented, as well as have Portage check for missing support and test it and bail out with a proper error message if it doesn't already. Which options are these in particular? I'll cook a patch with them. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
signature.asc
Description: PGP signature
