From: ebiederm@xmission.com (Eric W. Biederman)
To: "Paul Menage" <menage@google.com>
Cc: "Sam Vilain" <sam@vilain.net>,
"Srivatsa Vaddagiri" <vatsa@in.ibm.com>,
ckrm-tech@lists.sourceforge.net, linux-kernel@vger.kernel.org,
xemul@sw.ru, dev@sw.ru, pj@sgi.com, winget@google.com,
containers@lists.osdl.org, "Serge E. Hallyn" <serue@us.ibm.com>,
akpm@linux-foundation.org
Subject: Re: [ckrm-tech] [PATCH 0/2] resource control file system - aka containers on top of nsproxy!
Date: Wed, 07 Mar 2007 19:25:54 -0700 [thread overview]
Message-ID: <m1zm6o8o99.fsf@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <6599ad830703071735m222e26b7v47a54ca0aaffd902@mail.gmail.com> (Paul Menage's message of "Wed, 7 Mar 2007 17:35:58 -0800")
"Paul Menage" <menage@google.com> writes:
> On 3/7/07, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> The real trick is that I believe these groupings are designed to be something
>> you can setup on login and then not be able to switch out of.
>
> That's going to to be the case for most resource controllers - is that
> the case for namespaces? (e.g. can any task unshare say its mount
> namespace?)
With namespaces there are secondary issues with unsharing. Weird things
like a simple unshare might allow you to replace /etc/shadow and thus
mess up a suid root application.
Once people have worked through those secondary issues unsharing of
namespaces is likely allowable (for someone without CAP_SYS_ADMIN).
Although if you pick the truly hierarchical namespaces the pid
namespace unsharing will simply give you a parent of the current
namespace.
For resource controls I expect unsharing is likely to be like the pid
namespace. You might allow it but if you do you are forced to be a
child and possible there will be hierarchy depth restrictions.
Assuming you can implement hierarchical accounting without to much
expense.
Eric
next prev parent reply other threads:[~2007-03-08 2:27 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-01 13:35 [PATCH 0/2] resource control file system - aka containers on top of nsproxy! Srivatsa Vaddagiri
2007-03-01 13:45 ` [PATCH 1/2] rcfs core patch Srivatsa Vaddagiri
2007-03-01 16:31 ` Serge E. Hallyn
2007-03-01 16:46 ` Srivatsa Vaddagiri
2007-03-02 5:06 ` [ckrm-tech] " Balbir Singh
2007-03-03 9:38 ` Srivatsa Vaddagiri
2007-03-08 3:12 ` Eric W. Biederman
2007-03-08 9:10 ` Paul Menage
2007-03-09 0:38 ` Herbert Poetzl
2007-03-09 9:07 ` Kirill Korotaev
2007-03-09 13:29 ` Herbert Poetzl
2007-03-09 17:57 ` Srivatsa Vaddagiri
2007-03-10 1:19 ` Herbert Poetzl
2007-03-11 16:36 ` Serge E. Hallyn
2007-03-12 23:16 ` Herbert Poetzl
2007-03-08 10:13 ` Srivatsa Vaddagiri
2007-03-09 0:48 ` Herbert Poetzl
2007-03-09 2:35 ` Paul Jackson
2007-03-09 9:23 ` Kirill Korotaev
2007-03-09 9:38 ` Paul Jackson
2007-03-09 13:21 ` Herbert Poetzl
2007-03-11 17:09 ` Kirill Korotaev
2007-03-12 23:00 ` Herbert Poetzl
2007-03-13 8:28 ` Kirill Korotaev
2007-03-13 13:55 ` Herbert Poetzl
2007-03-13 14:11 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-13 15:52 ` Herbert Poetzl
2007-03-09 18:14 ` Srivatsa Vaddagiri
2007-03-09 19:25 ` Paul Jackson
2007-03-10 1:00 ` Herbert Poetzl
2007-03-10 1:31 ` Paul Jackson
2007-03-10 0:56 ` Herbert Poetzl
2007-03-09 16:16 ` Serge E. Hallyn
2007-03-01 13:50 ` [PATCH 2/2] cpu_accounting controller Srivatsa Vaddagiri
2007-03-01 19:39 ` [PATCH 0/2] resource control file system - aka containers on top of nsproxy! Paul Jackson
2007-03-02 15:45 ` Kirill Korotaev
2007-03-02 16:52 ` Andrew Morton
2007-03-02 17:25 ` Kirill Korotaev
2007-03-03 17:45 ` Herbert Poetzl
2007-03-03 21:22 ` Paul Jackson
2007-03-05 17:47 ` Srivatsa Vaddagiri
2007-03-03 9:36 ` Srivatsa Vaddagiri
2007-03-03 10:21 ` Paul Jackson
2007-03-05 17:02 ` Srivatsa Vaddagiri
2007-03-03 17:32 ` Herbert Poetzl
2007-03-05 17:34 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-05 18:39 ` Herbert Poetzl
2007-03-06 10:39 ` Srivatsa Vaddagiri
2007-03-06 13:28 ` Herbert Poetzl
2007-03-06 16:21 ` Srivatsa Vaddagiri
2007-03-07 2:32 ` Paul Menage
2007-03-07 17:30 ` Srivatsa Vaddagiri
2007-03-07 17:29 ` Paul Menage
2007-03-07 17:52 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-07 17:32 ` Srivatsa Vaddagiri
2007-03-07 17:43 ` Serge E. Hallyn
2007-03-07 17:46 ` Paul Menage
2007-03-07 23:16 ` Eric W. Biederman
2007-03-08 11:39 ` Srivatsa Vaddagiri
2007-03-07 18:00 ` Srivatsa Vaddagiri
2007-03-07 20:58 ` Serge E. Hallyn
2007-03-07 21:20 ` Paul Menage
2007-03-07 21:59 ` Serge E. Hallyn
2007-03-07 22:13 ` Dave Hansen
2007-03-07 23:13 ` Eric W. Biederman
2007-03-12 14:11 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-07 22:32 ` Eric W. Biederman
2007-03-07 23:18 ` Paul Menage
2007-03-08 0:35 ` Sam Vilain
2007-03-08 0:42 ` Paul Menage
2007-03-08 0:53 ` Sam Vilain
2007-03-08 0:58 ` [ckrm-tech] " Paul Menage
2007-03-08 1:32 ` Eric W. Biederman
2007-03-08 1:35 ` Paul Menage
2007-03-08 2:25 ` Eric W. Biederman [this message]
2007-03-09 0:56 ` Herbert Poetzl
2007-03-09 0:53 ` Herbert Poetzl
2007-03-09 18:19 ` Srivatsa Vaddagiri
2007-03-09 19:36 ` Paul Jackson
2007-03-09 21:52 ` Herbert Poetzl
2007-03-09 22:06 ` Paul Jackson
2007-03-12 14:01 ` Srivatsa Vaddagiri
2007-03-12 15:15 ` Srivatsa Vaddagiri
2007-03-12 20:26 ` Paul Jackson
2007-03-09 4:30 ` Paul Jackson
2007-03-08 2:47 ` Sam Vilain
2007-03-08 2:57 ` Paul Menage
2007-03-08 3:32 ` Sam Vilain
2007-03-08 6:10 ` Matt Helsley
2007-03-08 6:44 ` Eric W. Biederman
2007-03-09 1:06 ` Herbert Poetzl
2007-03-10 9:06 ` Sam Vilain
2007-03-11 21:15 ` Paul Jackson
2007-03-12 9:35 ` Sam Vilain
2007-03-12 10:00 ` Paul Menage
2007-03-12 23:21 ` Herbert Poetzl
2007-03-13 2:25 ` Paul Menage
2007-03-13 15:57 ` Herbert Poetzl
2007-03-09 4:37 ` Paul Jackson
2007-03-08 6:32 ` Eric W. Biederman
2007-03-08 9:10 ` Paul Menage
2007-03-09 16:50 ` Serge E. Hallyn
2007-03-22 14:08 ` Srivatsa Vaddagiri
2007-03-22 14:39 ` Serge E. Hallyn
2007-03-22 14:56 ` Srivatsa Vaddagiri
2007-03-09 4:27 ` Paul Jackson
2007-03-10 8:52 ` Sam Vilain
2007-03-10 9:11 ` Paul Jackson
2007-03-09 16:34 ` Srivatsa Vaddagiri
2007-03-09 16:41 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-09 22:09 ` Paul Menage
2007-03-10 2:02 ` Srivatsa Vaddagiri
2007-03-10 3:19 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-12 15:07 ` Srivatsa Vaddagiri
2007-03-12 15:56 ` Serge E. Hallyn
2007-03-12 16:20 ` Srivatsa Vaddagiri
2007-03-12 17:25 ` Serge E. Hallyn
2007-03-12 21:15 ` Sam Vilain
2007-03-12 23:31 ` Herbert Poetzl
2007-03-13 2:22 ` Srivatsa Vaddagiri
2007-03-08 0:50 ` Sam Vilain
2007-03-08 11:30 ` Srivatsa Vaddagiri
2007-03-09 1:16 ` Herbert Poetzl
2007-03-09 18:41 ` Srivatsa Vaddagiri
2007-03-10 2:03 ` Herbert Poetzl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1zm6o8o99.fsf@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=ckrm-tech@lists.sourceforge.net \
--cc=containers@lists.osdl.org \
--cc=dev@sw.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=menage@google.com \
--cc=pj@sgi.com \
--cc=sam@vilain.net \
--cc=serue@us.ibm.com \
--cc=vatsa@in.ibm.com \
--cc=winget@google.com \
--cc=xemul@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.