On tor, 2015-03-05 at 15:26 -0800, Andy Lutomirski wrote:
> On Wed, Mar 4, 2015 at 3:14 AM, Alexander Larsson <[email protected]> wrote:
> Fair enough.
>
> Eric, I don't understand the mount propagation code at all. Could
> there be "propagate read-only" mode? (Presumably along with nodev,
> nosuid, and noexec.)
Completely unrelated, but while i have some kernel people on the line:
Any chance someone could make it be possible to share the network
namespace with the host, yet still get your own abstract unix socket
address space. These two are currently tightly bound, which is a problem
if you want to use the host network namespace to allow the app "normal"
access to the network stack, because it *also* gives the app full access
to all local abstract sockets, and those don't even have any permission
checks.
For instance, would it be possible to say add a prefix string which is
applied to all abstract sockets? Or maybe just a separate namespace for
these?
Regular unix domain sockets are really all that is needed, and they work
with bind mounts so i can set up access to them however I want, so
another alternative is to just make it possible to disable abstract
sockets use in a container. Unfortunately this is not doable with
seccomp, and while it may be doable in selinux it is hardly simple, and
depends on that being in enforcing mode.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
[email protected] [email protected]
He's a shy shark-wrestling card sharp on a search for his missing sister.
She's a warm-hearted thirtysomething research scientist living on
borrowed time. They fight crime!
_______________________________________________
gnome-os-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-os-list
