--- Al Viro <[EMAIL PROTECTED]> wrote: > On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote: > > > what > > > happens if we want it in two chroot jails with different layouts? > > > > As you can only have /smack mounted once, this isn't an issue, > > but it does present an interesting use case that brings the one > > mount limitation into question. I'll add addressing this to the > > short term todo list. > > Of course you can mount it more than once. Just bind the sucker and you > are done. > > > > I really don't get it; why not simply have something like > > > /smack/tmp.link resolve to tmp/<label> and have userland bind or mount > > > whatever you bloody like on /smack/tmp? > > > > Because you throw "simple" out the window when you require userland > > assistance to perform this function. > > Any more than having /tmp replaced with a symlink?
Yes. By the way, there's nothing that really requires that you use a /smack symlink if you don't want to. /tmp can still be a real directory, a mount point, a symlink to /var/tmp, or whatever else you want it to be if that suits your needs better. For the simplest scenarios /tmp -> /smack/tmp -> /moldy/<label> has every other scheme I've seen throughly beaten. > > I'm having some trouble seeing how the 60 lines of code in > > smackfs dealing with symlinks would be improved by your suggestions. > > I certainly don't see how requiring userland intervention would > > do anything but make it bigger and less reliable. > > _What_ userland intervention? Mounting stuff under /smack/tmp and not under > your /moldy? Who said anything about mounting under /moldy? I never did. > Having /tmp replaced with symlink to /smack/tmp.link instead > of replacing it with a symlink to /smack/tmp? > > Absolute paths in that kind of thing are _wrong_. You know where the things > are on your fs. You don't know if anything else will be visible, let alone > whether it will be at the same place in all chroots or namespaces. And no, > you _can't_ make sure that fs is visible only in one place. No fs can or > has any business even trying. Is the objection that there is a default value coded in? Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/