This is again related to the FUSE permission thread, but a slightly
different idea and without a slimy hack patch.
I really want to enable users to be able to create private namespaces,
but I want to try and avoid creating a venerability by allowing them
to abuse system resources. It looks like this can be done by adding
RLIMIT_NEWNS as a per-user resource limit, and tracking the number of
private namespaces a user has in the user_struct. Any time a user
creates a private namespace (either via clone with CLONE_NEWNS) or any
other method, this limit is checked and the per user count is
incremented (in copy_namespace). When namespaces are cleaned up (in
__put_namespace), the per-user count is decremented.
Is this sufficient to cover any exposure? What's the correct solution
for the shared sub-trees RFC? Should there be something similar for
user mounts/binds?
-eric
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
