Mike Waychison wrote:
If I understand what Hans is looking to get done, he's asking for someone to architect a system where any given process can be restricted to seeing/accessing a subset of the namespace (in the sense of "a tree of directories/files"). Eg: process Foo is allowed access to write to /etc/group, but _not_ allowed access to /etc/shadow, under any circumstances && Foo will be run as root. Hell, maybe Foo is never able to even _see_ /etc/shadow (making it a true shadow file :).
You are correct, you cannot even see /etc/shadow.
The term mask may be more communicative than view. We are starting to use the term mask.
Hans, correct me if I misunderstood.
[*] Somebody really should s/struct namespace/struct mounttable/g (or even mounttree) on the kernel sources. 'Namespace' isn't very descriptive and it leads to confusion :(
-- Mike Waychison Sun Microsystems, Inc. 1 (650) 352-5299 voice 1 (416) 202-8336 voice http://www.sun.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: The opinions expressed in this email are held by me, and may not represent the views of Sun Microsystems, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~