On Mon, Feb 20, 2017 at 5:05 AM, Eric W. Biederman <[email protected]> wrote: > Alexey Gladkov <[email protected]> writes: > >> The pidfs filesystem contains a subset of the /proc file system which >> contains only information about the processes. > > My summary of your motivation. > > It hurts when I create a container with a processes with uid 0 inside of > it. This generates lots of hacks to attempt to limit uid 0. > > My answer: Don't run a container with a real uid 0 inside of it.
I agree. Unless I miss something I'd say use a user namespace to get decent permission checks in /proc (and /sys). -- Thanks, //richard
