James Bottomley <[email protected]> writes: > On July 8, 2016 1:38:19 PM PDT, Andrew Vagin <[email protected]> wrote:
>>What do you think about the idea to mount nsfs and be able to look up >>any alive namespace by inum: > > I think I like it. It will give us a way to enter any extant > namespace. It will work for Eric's fs namespaces as well. Perhaps a > /process/ns/<inum> Directory? *Shivers* That makes it very easy to bypass any existing controls that exist for getting at namespaces. It is true that everything of that kind is directory based but still. Plus I think it would serve as information leak to information outside of the container. An operation to get a user namespace file descriptor from some kernel object sounds reasonably sane. A great big list of things sounds about as scary as it can get. This is not the time to be making it easier to escape from containers. Eric
