Re: [PATCH] Add pidfs filesystem

From: Richard Weinberger
Date: Wed Feb 22 2017 - 15:14:53 EST

On Mon, Feb 20, 2017 at 5:05 AM, Eric W. Biederman
<ebiederm@xxxxxxxxxxxx> wrote:
> Alexey Gladkov <gladkov.alexey@xxxxxxxxx> writes:
>> The pidfs filesystem contains a subset of the /proc file system which
>> contains only information about the processes.
> My summary of your motivation.
> It hurts when I create a container with a processes with uid 0 inside of
> it. This generates lots of hacks to attempt to limit uid 0.
> My answer: Don't run a container with a real uid 0 inside of it.

I agree. Unless I miss something I'd say use a user namespace
to get decent permission checks in /proc (and /sys).