Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jul 2016 18:17:26 +0000
From: "Reshetova, Elena" <>
To: Jann Horn <>, ""
CC: ""
	<>, ""
	<>, "" <>,
	"" <>, "Schaufler, Casey"
	<>, "Leibowitz, Michael"
	<>, "Roberts, William C"
Subject: RE: [RFC] [PATCH 2/5] task_unshare LSM hook

> Why would you have an LSM hook just for the unshare() syscall given that
clone() exposes nearly the same functionality?

My trace of thought was like this: Clone creates new process, so we have two

-  do one more hook here also (or have a joint hook) and then also add the
info about this process into the hardchroot info list


- do not add this child process to the list and therefore we don't need
updated pointers on fs for it, but just treat it as a child (since it would
be chrooted to the same location unless it calls unshare, chroot, pivot_root
or similar).

I went with the second approach to minimize the hooks changes needed and
number of processes to store in internal list. 

Download attachment "smime.p7s" of type "application/pkcs7-signature" (7586 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.