On Tue, Sep 09, 2014 at 12:20:46PM -0500, riya khanna wrote: > Hi, > > I'm a newbie trying to come up with a fuse/cuse-based solution to > device namespace virtualization.
Fwiw I find the thought of allowing use of cuse from a container (well, an unprivileged container at least) more than a little bit frightening from a security perspective. If a process does an ioctl on a cuse-based device then the process implementing the device can get a very broad ability to read and write in the initiator's address space. If the device were to show up automagically in devtmpfs and a process on the host could be tricked into opening the device, then that sounds like a great vector for an attack. Just something to keep in mind. Seth _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
