2008/10/18 Roman V. Shaposhnik <[EMAIL PROTECTED]>: > On Wed, 2008-10-15 at 08:17 -0400, erik quanstrom wrote: >> > > ; mntgen a >> > > ; bind /env a/env >> > > ; bind /bin a/bin >> > > ; bind /proc a/proc >> > > ; bind a / >> > > ; ns >> > > >> > > consider it a security feature. >> > >> > Be it as it may, I still can't quite follow why *manual* pruning >> > of the entries from the namespace would be forbidden. unmount(2) >> > takes two strings as arguments, right? It doesn't even need an fd. >> >> because they're not visible. you have to access >> it in order to unmount it. > > I see what you meant now. For some reason, I constantly assume > that namespace is sort of a substitution table that helps you > walk(5) across the bind/mount points. But it is not. Is there > a simple reason for mandating access to the target of the bind? > > Or here's an easier way to ask the same: is there a simple reason > for > $ bind /foo /really/nested/bar > always triggering walks into /foo and /really/nested/bar and not > allowing for "lazy evaluation"?
The evaluation of bind argument "happens at the time of the bind, not when the binding is later used." -- see bind(2). Also, /sys/doc/9.ps worth reading.
