[PATCH 2/2] hijack: update task_alloc_security
Crispin Cowan
crispin at crispincowan.com
Tue Nov 27 21:53:47 PST 2007
Serge E. Hallyn wrote:
> Quoting Casey Schaufler (casey at schaufler-ca.com):
>
>> Could y'all bring me up to speed on what this is intended to
>> accomplish so that I can understand the Smack implications?
>>
> It's basically like ptracing a process, forcing it to fork, then having
> the child execute a file and continue as your child. It takes part of
> its state from the current process (stack etc), some from the hijacked
> process (namespaces, keys?), and an lsm can decide for itself whose ->security
> should be used for the child process.
>
That just doesn't gob smack me with the obvious abstract intention of
this API :)
So it is like I want to run a process inside a name space, but I am not
inside that name space, so I highjack one that is in there, force it to
fork, and then give me its child. Ugh.
Couldn't we just implement "put me in that namespace over there?" AFAIK
namespaces don't actually have names, making it hard to implement "put
me in namespace Foo", but I view that as a defect of namespaces that
should be fixed, rather than hacked around.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin
CEO, Mercenary Linux http://mercenarylinux.com/
Itanium. Vista. GPLv3. Complexity at work
More information about the Containers
mailing list