Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility

Next message: Christian Schoenebeck: "Re: [PATCH RFC v2] 9p/virtio: convert to extract_iter_to_sg()"
Previous message: Alyssa Ross: "[PATCH] man/man2/setns.2: clarify type of nsfs fd required"
In reply to: Alexey Gladkov: "Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility"
Next in thread: Alexey Gladkov: "Re: [RESEND PATCH v6 0/5] proc: subset=pid: Relax check of mount visibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Klishch

Date: Sat Dec 13 2025 - 13:00:49 EST

> It is much easier to implement file access
> restrictions in procfs using an ebpf controller.

But if we already have a masked /proc from podman/docker/user who
decided to run `mount --bind /dev/null /proc/smth`, the sandbox will
not have a choice other than to bail out. Also, correct me if I am
wrong, installing ebpf controller requires CAP_BPF in initial
userns, so rootless podman will not be able to mask /proc "properly"
even if someone sends a patch switching it to ebpf.

Thanks,
Dan Klishch