On Wed, 2011-10-05 at 20:46 +0200, "Axel Schöner" wrote: > I've submitted a patch-set a few days before, but i didn't get any feedback > yet. > Hi Axel,
I guess there are too few people using lxc-attach for the moment... > The reason for this patch is, by using "lxc-attach" to enter the namespaces > of > a container, the "lxc-attach" process and its child processes are not added > to > the cgroup task-files of the container. > That means, that the cgroup based restrictions for these processes would not > be applied! > That makes a lot of sense indeed ! This is clearly an isolation/security bug. > I think that should be fixed. The patches are again attached to this mail. > Well, it is better to send your serie like you did before: one patch per mail, otherwise it's unpractical to comment... Moreover, each patch shouldn't break compilation. For example, your patch number 1 doesn't compile as it needs all the other patches. Also, when you add/change a function signature, please use a single patch for .h and .c files... In short, resend your serie with: - patch 1: introduce lxc_cgroup_append_task() helper - patch 2: use lxc_cgroup_append_task() in lxc_attach() This way, we can comment easily your code and hopefully commit something soon. Thanks. -- Gregory Kurz gk...@fr.ibm.com Software Engineer @ IBM/Meiosys http://www.ibm.com Tel +33 (0)534 638 479 Fax +33 (0)561 400 420 "Anarchy is about taking complete responsibility for yourself." Alan Moore. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
