On Fri, May 23, 2014 at 03:23:50PM -0700, Eric W. Biederman wrote: > Serge Hallyn <serge.hal...@ubuntu.com> writes: > > > Quoting Eric W. Biederman (ebied...@xmission.com): > >> > >> > >> >> Ultimately the technical challenge is how do we create a block device > >> >> that is safe for a user who does not have any capabilities to use, and > >> >> what can we do with that block device to make it useful. > >> > > >> > Yes, and I'd like to get started solving those challenges. But I also > >> > don't think we can address these two points (support partition blkdevs, > >> > help prevent more priveleged users from using a namespace's loop > >> > devices) sufficiently while having an implementation completely > >> > contained within the loop driver as Greg is requesting. > >> > >> My key take away from the conversation is that we should reduce the > >> scope of what is being done to something that makes sense and the > >> propblems are immediately visible. > >> > >> Part of me would like to suggest that fuse and it's ability to imitate > >> device nodes might be a more appropriate solution, to something that > > > > Do you have a link to more info on this? Some googling got me to an > > interesting but old thread on CUSE, but nothing specifically about fuse > > doing this. > > CUSE is probably what I was thinking of. It is all part of the fuse > code base in the kernel. And now that I am reminded it is called CUSE > I go Duh that is a character device... > > Fuse and everything it can do is definitely the filesystem I would like > to see most have the audits to be enabled in user namespace. Fuse > was built to be sufficiently paranoid to allow this and so it should not > take a lot to take fuse the rest of the way.
I was aware of FUSE but hadn't ever looked at it much. Looking at it now, this isn't going to satisfy any of the use cases I know about, which are wanting to use filesystems supported in-kernel (isofs, ext*). I don't see that any of these have a FUSE implementation, and I think we gain more from figuring out how to use in-kernel filesystems in containers than trying to find a way to shoehorn selected filesystems into FUSE. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
