[lxc-devel] [systemd-devel] Suspending access to opened/active /dev/nodes during application runtime
Oren Laadan
orenl at cellrox.com
Tue Mar 11 16:02:46 UTC 2014
On Fri, Mar 7, 2014 at 3:51 PM, Lukasz Pawelczyk <havner at gmail.com> wrote:
>
> On 7 Mar 2014, at 20:24, Lennart Poettering <mzerqung at 0pointer.de> wrote:
>
> > On Fri, 07.03.14 19:45, Lukasz Pawelczyk (havner at gmail.com) wrote:
> >
> >> Problem:
> >> Has anyone thought about a mechanism to limit/remove an access to a
> >> device during an application runtime? Meaning we have an application
> >> that has an open file descriptor to some /dev/node and depending on
> >> *something* it gains or looses the access to it gracefully (with or
> >> without a notification, but without any fatal consequences).
> >
> > logind can mute input devices as sessions are switched, to enable
> > unpriviliged X11 and wayland compositors.
>
> Would you please elaborate on this? Where is this mechanism? How does it
> work without kernel space support? Is there some kernel space support I'm
> not aware of?
>
> >> Example:
> >> LXC. Imagine we have 2 separate containers. Both running full operating
> >> systems. Specifically with 2 X servers. Both running concurrently of
> >
> > Well, devices are not namespaced on Linux (with the single exception of
> > network devices). An X server needs device access, hence this doesn't
> > fly at all.
> >
> > When you enumerate devices with libudev in a container they will never
> > be marked as "initialized" and you do not get any udev hotplug events in
> > containers, and you don#t have the host's udev db around, nor would it
> > make any sense to you if you had. X11 and friends rely on udev
> > however...
> >
> > Before you think about doing something like this, you need to fix the
> > kernel to provide namespaced devices (good luck!)
>
> Precisly! That's the generic idea. I'm not for implementing it though at
> this moment. I just wanted to know whether anybody actually though about it
> or maybe someone is interested in starting such a work, etc.
>
Yes, we have started such a thing. Here is the link to the wiki:
https://github.com/Cellrox/devns-patches/wiki
[...]
Oren.
More information about the Containers
mailing list