On Mon, Nov 30, 2015 at 10:09:38AM -0500, Tejun Heo wrote:
> Hello, Serge.
>
> On Thu, Nov 26, 2015 at 11:17:45PM -0600, Serge E. Hallyn wrote:
> > > Wouldn't it be simpler to walk dentry from kernfs root than
> > > duplicating dentry instantiation?
> >
> > Sorry I don't think I'm following. Are
On Mon, Nov 30, 2015 at 05:08:34PM -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" writes:
>
> > A common way for daemons to run with minimal privilege is to start as root,
> > perhaps setuid-root, choose a desired capability set, set PR_SET_KEEPCAPS,
> > then change uid to non-root. A simpl
elative kernfs path
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Changelog 20151125:
- Fully-wing multilinecomments
- Rework kernfs_path_from_node_locked() logic
- Replace BUG_ONs with returning NULL
"Serge E. Hallyn" writes:
> A common way for daemons to run with minimal privilege is to start as root,
> perhaps setuid-root, choose a desired capability set, set PR_SET_KEEPCAPS,
> then change uid to non-root. A simpler way to achieve this is to set file
> capabilities on a not-setuid-root bin
Hello, Serge.
On Mon, Nov 30, 2015 at 12:37:58PM -0600, Serge E. Hallyn wrote:
> > Yeah, I agree but the name is kinda misleading tho. The output isn't
> > really a relative path but rather absolute path against the specified
> > root. Maybe updating the function and parameter names would be
> >
A common way for daemons to run with minimal privilege is to start as root,
perhaps setuid-root, choose a desired capability set, set PR_SET_KEEPCAPS,
then change uid to non-root. A simpler way to achieve this is to set file
capabilities on a not-setuid-root binary. However, when installing a pac
On Mon, Nov 30, 2015 at 10:11:47AM -0500, Tejun Heo wrote:
> Hello,
>
> On Thu, Nov 26, 2015 at 11:25:11PM -0600, Serge E. Hallyn wrote:
> > > > + /* Short-circuit the easy case - kn_to is the root node. */
> > > > + if ((kn_from == kn_to) || (!kn_from && !kn_to->parent)) {
> > > > +
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> If manual mounting with elevated permissions is required
> this can currently only be done in pre-start hooks or before
> starting LXC. In both cases the mounts would appear in the
> host's namespace.
> With this flag the namespace is unshared b
Hello,
On Thu, Nov 26, 2015 at 11:25:11PM -0600, Serge E. Hallyn wrote:
> > > + /* Short-circuit the easy case - kn_to is the root node. */
> > > + if ((kn_from == kn_to) || (!kn_from && !kn_to->parent)) {
> > > + *p = '/';
> > > + *(p + 1) = '\0';
> >
> > Hmm... so if kn_from ==
Hello, Serge.
On Thu, Nov 26, 2015 at 11:17:45PM -0600, Serge E. Hallyn wrote:
> > Wouldn't it be simpler to walk dentry from kernfs root than
> > duplicating dentry instantiation?
>
> Sorry I don't think I'm following. Are you suggesting walking the
> kn->parent chain backward and doing d_looku
Changes:
Patch 1 (AppArmor profile): Acked-by line
Patch 2:
-) renamed the optiont to lxc.monitor.unshare
-) "fixed" documentation (hadn't described the default value
correctly). The default is 'off', since that way it doesn't change
any existing containers.
Wolfgang Bumiller (2):
AppArm
If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pr
The profile already contains
mount options=(rw, make-slave) -> **,
Which allows going through all mountpoints with make-slave,
so it seems to make sense to also allow the directly
recursive variant with "make-rslave".
Signed-off-by: Wolfgang Bumiller
Acked-by: Serge E. Hallyn
---
config/appa
13 matches
Mail list logo
