Re: (pspace,pid) vs true pid virtualization

From: Dave Hansen
Date: Mon Feb 20 2006 - 13:17:20 EST

Next message: Christoph Hellwig: "Re: Areca RAID driver remaining items?"
Previous message: Rafael J. Wysocki: "Re: Which is simpler? (Was Re: [Suspend2-devel] Re: [ 00/10] [Suspend2] Modules support.)"
In reply to: Kirill Korotaev: "Re: (pspace,pid) vs true pid virtualization"
Next in thread: Eric W. Biederman: "Re: (pspace,pid) vs true pid virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2006-02-20 at 12:54 +0300, Kirill Korotaev wrote:
> VPS has reached it's process limit and you can't enter it.
> If you suggest to make enter without resource limitations, then it will
> be a security hole.

I think the question is:

Can or should an administrative process be able to do things
inside of a container, without being subject that that
container's resource limitations?

Implementation wise, I'm sure we _can_ do something like that. We
simply have to make sure that when processes are entering containers,
they are subject to the originating container's resource limits, not the
destination.

Could you explain why this is a security hole?

-- Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: Areca RAID driver remaining items?"
Previous message: Rafael J. Wysocki: "Re: Which is simpler? (Was Re: [Suspend2-devel] Re: [ 00/10] [Suspend2] Modules support.)"
In reply to: Kirill Korotaev: "Re: (pspace,pid) vs true pid virtualization"
Next in thread: Eric W. Biederman: "Re: (pspace,pid) vs true pid virtualization"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]