Re: [PATCH] Add pidfs filesystem

From: Richard Weinberger
Date: Wed Feb 22 2017 - 15:14:53 EST

Next message: Jason Vas Dias: "Re: [PATCH] arch/x86/kernel/tsc.c : set X86_FEATURE_ART for TSC on CPUs like i7-4910MQ : bug #194609"
Previous message: Maxime Ripard: "Re: [PATCH 4/8] drm/sun4i: add support for sun8i DE2 mixers and display engines"
In reply to: Alexey Gladkov: "Re: [PATCH] Add pidfs filesystem"
Next in thread: Oleg Nesterov: "Re: [PATCH] Add pidfs filesystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 20, 2017 at 5:05 AM, Eric W. Biederman
<ebiederm@xxxxxxxxxxxx> wrote:
> Alexey Gladkov <gladkov.alexey@xxxxxxxxx> writes:
>
>> The pidfs filesystem contains a subset of the /proc file system which
>> contains only information about the processes.
>
> My summary of your motivation.
>
> It hurts when I create a container with a processes with uid 0 inside of
> it. This generates lots of hacks to attempt to limit uid 0.
>
> My answer: Don't run a container with a real uid 0 inside of it.

I agree. Unless I miss something I'd say use a user namespace
to get decent permission checks in /proc (and /sys).

--
Thanks,
//richard

Next message: Jason Vas Dias: "Re: [PATCH] arch/x86/kernel/tsc.c : set X86_FEATURE_ART for TSC on CPUs like i7-4910MQ : bug #194609"
Previous message: Maxime Ripard: "Re: [PATCH 4/8] drm/sun4i: add support for sun8i DE2 mixers and display engines"
In reply to: Alexey Gladkov: "Re: [PATCH] Add pidfs filesystem"
Next in thread: Oleg Nesterov: "Re: [PATCH] Add pidfs filesystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]