Re: [PATCH] Add pidfs filesystem
From: Richard Weinberger
Date: Wed Feb 22 2017 - 15:14:53 EST
On Mon, Feb 20, 2017 at 5:05 AM, Eric W. Biederman
> Alexey Gladkov <gladkov.alexey@xxxxxxxxx> writes:
>> The pidfs filesystem contains a subset of the /proc file system which
>> contains only information about the processes.
> My summary of your motivation.
> It hurts when I create a container with a processes with uid 0 inside of
> it. This generates lots of hacks to attempt to limit uid 0.
> My answer: Don't run a container with a real uid 0 inside of it.
I agree. Unless I miss something I'd say use a user namespace
to get decent permission checks in /proc (and /sys).