> Constructing a namespace without RFNOMNT that does not have #s (say) bound > is not really securing #s (and its other consumers) against that namespace's > actions. Constructing a namespace with RFNOMNT and without #s bound does > at least two bad things: > -> it makes it impossible to pass fds around between processes in this > namespace, as there is now no /srv backing. > -> it prohibits import of additional resources.
i think you've got the cart before the horse. i haven't even seen what i think is a compelling argument for sendfd yet you're trying to argue for second-order problems with a particular application of sendfd. i would think that in order to justify sendfd one would need to - have a reasonable implementation of sendfd and - a useful application that needs it and can't be implented correctly without it. it would be more convincing with a paper that considers other options and makes the argument for sendfd. with that in hand, it then would make sense to talk about second-order problems. - erik
