Re: sys_vserver

[Rik van Riel]

On Wed, 1 Oct 2003, Chris Wright wrote:

> > 3) the needs that can be met with existing infrastructure, like
> >    CLONE_NEWNS or LSM should definately move out of the vserver
> >    patch in the port to 2.6
> 
> Glad to hear it.  I haven't looked closely at vserver since about 2.4.14,
> but I had hoped to find ways to minimize the vserver patch by reusing
> some of the LSM infrastructure. 

That is my biggest issue, too.  I really want vserver, but
I don't want to carry around a patch that's any larger than
it needs to be ;)

> The biggest issue was the ability to virtualize the results of something
> like the hostname to be ctx specific, which was deemed too much to do
> for the LSM interfaces.

Yup, that is indeed too much for the LSM interface;  because
of that additional things would seem needed.

> > 4) I'm all for generalising the interface, how about sys_virtual_context ?
> 
> I _think_ this can be done with /proc/[pid]/attr/.  This allows you to
> set the security attributes of a process. 

> http://mail.wirex.com/pipermail/linux-security-module/2003-April/4264.html       

Ohhhhhh.  I will need to check this out.  Thanks for the
information.  I've asked some selinux people whether there
was functionality like this and they didn't think so. Good
to see there is something after all ;)

I'll look at this in more detail to see whether it would
be enough to implement virtual host functionality.

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/