On Fri, Dec 10, 2010 at 03:06:59PM +0000, Daniel P. Berrange wrote: > The theory is as follows though > > 1. clone() with the CLONE_NEWNS set [...] > There are various other CLONE flags that lock down more > things if desired, eg to hide all host network interfaces.
I don't think CLONE_* can stop them creating a /dev/hda-equivalent device node and then editing files on your real hard disk. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
