On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote: > On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > One question about this patch. > > > > Why don't you use the devices cgroup check if the root user in that > > namespace is allowed to use this device? > > > > This way you can be sure that the root in that namespace can not access > > devices to which the host system did not gave > > him access to.
> That might be possible, but I don't want to require something on the > host to whitelist the device for the container. Then loop would need to > automatically add the device to devices.allow, which doesn't seem > desirable to me. But I'm not entirely opposed to the idea if others > think this is a better way to go. I don't see any safe way to avoid it. The host has to be in control of what devices can and can not be accessed by the container. > Seth Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
