From: Alex Lyashkov (shadow_at_psoft.net)
Date: Thu 09 Oct 2003 - 05:04:20 BST

• Previous message: Herbert Poetzl: "Re: [vserver] kernel 2.4.21ctx-17c and 2.4.22ctx-17c available"
• In reply to: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Next in thread: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Next in thread: Herbert Poetzl: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Reply: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"

On Wednesday 08 October 2003 22:38, Jacques Gelinas wrote:
> On Wed, 8 Oct 2003 07:59:03 -0500, Rik van Riel wrote
>
> > On Tue, 7 Oct 2003, Alex Lyashkov wrote:
> > > On Tuesday 07 October 2003 03:34, Jacques Gelinas wrote:
> > > > chrootsafe
> > > >
> > > > This is a new system call that unlike chroot, can't be escaped.
> > >
> > > why don`t use private namespace ?
> >
> > Good question. Using CLONE_NEWNS followed by a recursive
> > bind mount to hide everything else would be so much better
> > than adding a new syscall.
>
> This is probably a minor problem, but if we want to support vservers inside
> vserver we must allow mount ? This is a problem. mount let you DOS
> a machine. Further, mount is covered by a very broad capability.
>
> Am I missing something ?
>
yes.
In private namespace created _private_ mounts tree.
i see one posible DDoS - you can be use it for kernel exhaust memory when do
many many mounts.
What DDoS you see ?

-- 
With best regards,
Alex

• Previous message: Herbert Poetzl: "Re: [vserver] kernel 2.4.21ctx-17c and 2.4.22ctx-17c available"
• In reply to: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Next in thread: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Next in thread: Herbert Poetzl: "Re: [vserver] kernel 2.4.22ctx-18 pre1"
• Reply: Jacques Gelinas: "Re: [vserver] kernel 2.4.22ctx-18 pre1"