[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Jun 2011 23:53:43 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: procfs mount options
Solar,
On Sun, Jun 05, 2011 at 23:40 +0400, Solar Designer wrote:
> Since recent versions of OpenVZ build upon the namespaces code that has
> been upstream'ed, I guess this will rely on upstream's namespaces code
> (once we move to RHEL6'ish OpenVZ kernels and beyond), correct?
Namespaces - yes. But AFAIK, only a pair of sysctls is accessible in
containers, IIRC, only net sysctls.
> Now, leaving sysctl's aside and speaking of mount options only for now,
> what happens when a container mounts /proc with umask=007, but then
> another container mounts /proc without that option or with umask=0?
> Does the first container retain its restricted perms, including for
> newly appearing entries under its /proc? If so, where is this different
> setting stored? Is it per mount (preferable)? Is it per pid namespace
> (OK)?
It is per-pid_namespace, it should be fully consistent with OpenVZ.
Thanks,
--
Vasiliy
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
