From: Alex Lyashkov (shadow_at_psoft.net)
Date: Thu 09 Oct 2003 - 05:04:20 BST
On Wednesday 08 October 2003 22:38, Jacques Gelinas wrote:
> On Wed, 8 Oct 2003 07:59:03 -0500, Rik van Riel wrote
> > On Tue, 7 Oct 2003, Alex Lyashkov wrote:
> > > On Tuesday 07 October 2003 03:34, Jacques Gelinas wrote:
> > > > chrootsafe
> > > >
> > > > This is a new system call that unlike chroot, can't be escaped.
> > >
> > > why don`t use private namespace ?
> > Good question. Using CLONE_NEWNS followed by a recursive
> > bind mount to hide everything else would be so much better
> > than adding a new syscall.
> This is probably a minor problem, but if we want to support vservers inside
> vserver we must allow mount ? This is a problem. mount let you DOS
> a machine. Further, mount is covered by a very broad capability.
> Am I missing something ?
In private namespace created _private_ mounts tree.
i see one posible DDoS - you can be use it for kernel exhaust memory when do
many many mounts.
What DDoS you see ?
-- With best regards, Alex