From: Jon Bendtsen (jon707_at_kollegiegaarden.dk)
Date: Sun 07 Dec 2003 - 12:03:29 GMT
On Saturday 06 December 2003 16:25, Herbert Poetzl wrote:
> On Sat, Dec 06, 2003 at 01:27:15PM +0100, Jon Bendtsen wrote:
> > On Saturday 06 December 2003 13:08, Dariush Pietrzak wrote:
> > No i dont, i want all vservers by default to be disallowed access
> > to block devices, EVEN IF THERE IS A DEV ENTRY.
> hmm, guess that isn't that easy to accomplish,
> but I can have a look at the code, and think
> about the possibilities ... maybe disallowing
> an open for block devices could be sufficient
Thanks. You know blockdevices might not be the only devices we need to
limit access to.
> > > I don't really get where the problem is - you wan't all your
> > > vservers permanently banned from accessing block devices? Even
> > > if you create those devices yourself especially for your
> > > vserver to access them? Or what?
> > Thats why you could have a CAP_BLOCK_ACCESS
> maybe as per vserver capability, once we have
> that system up and running, but the CAP_*
> resources are scarce ... (30/32)
That would be nice, but why are they only using 5 bit for the
capabilities? i would think that regular 8 bit would be smarter.
Vserver mailing list