On Wed, Nov 01, 2023 at 05:23:12PM +0100, Jann Horn wrote:
> On Wed, Nov 1, 2023 at 11:57 AM Mickaël Salaün wrote:
> > On Tue, Oct 31, 2023 at 09:40:59PM +0100, Stefan Bavendiek wrote:
> > > On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote:
> > > > In 2005, before namespaces were up
On Wed, Nov 1, 2023 at 11:57 AM Mickaël Salaün wrote:
> On Tue, Oct 31, 2023 at 09:40:59PM +0100, Stefan Bavendiek wrote:
> > On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote:
> > > In 2005, before namespaces were upstreamed, I posted the 'bsdjail' LSM,
> > > which briefly made it i
On Tue, Oct 31, 2023 at 09:40:59PM +0100, Stefan Bavendiek wrote:
> On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote:
> > In 2005, before namespaces were upstreamed, I posted the 'bsdjail' LSM,
> > which briefly made it into the -mm kernel, but was eventually rejected as
> > being an
On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote:
> In 2005, before namespaces were upstreamed, I posted the 'bsdjail' LSM,
> which briefly made it into the -mm kernel, but was eventually rejected as
> being an abuse of the LSM interface for OS level virtualization :)
>
> It's not 1
On Wed, Oct 25, 2023 at 7:22 PM Serge E. Hallyn wrote:
>
> On Wed, Oct 25, 2023 at 07:10:07PM +0200, Jann Horn wrote:
> > On Tue, Oct 24, 2023 at 3:46 PM Serge E. Hallyn wrote:
> > > Disabling them altogether would break lots of things depending on them,
> > > like X :) (@/tmp/.X11-unix/X0).
> >
On Wed, Oct 25, 2023 at 07:10:07PM +0200, Jann Horn wrote:
> On Tue, Oct 24, 2023 at 3:46 PM Serge E. Hallyn wrote:
> > Disabling them altogether would break lots of things depending on them,
> > like X :) (@/tmp/.X11-unix/X0).
>
> FWIW, X can connect over both filesystem-based unix domain socke
On Tue, Oct 24, 2023 at 3:46 PM Serge E. Hallyn wrote:
> Disabling them altogether would break lots of things depending on them,
> like X :) (@/tmp/.X11-unix/X0).
FWIW, X can connect over both filesystem-based unix domain sockets and
abstract unix domain sockets. When a normal X client tries to
On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote:
> On Tue, Oct 24, 2023 at 10:29:17AM -0400, Paul Moore wrote:
> > On Tue, Oct 24, 2023 at 10:18 AM Serge E. Hallyn wrote:
> > > On Tue, Oct 24, 2023 at 10:14:29AM -0400, Paul Moore wrote:
> > > > On Tue, Oct 24, 2023 at 9:46 AM Serge
Yeah, I think I've heard the term "socket namespaces" before, and I
agree that changing the term 'network namespaces' in the kernel would
probably not be practical at this point.
On Tue, Oct 24, 2023 at 11:55:43AM -0400, Boris Lukashev wrote:
> Good point: from the "resources granted to a user" pe
On Tue, Oct 24, 2023 at 10:29:17AM -0400, Paul Moore wrote:
> On Tue, Oct 24, 2023 at 10:18 AM Serge E. Hallyn wrote:
> > On Tue, Oct 24, 2023 at 10:14:29AM -0400, Paul Moore wrote:
> > > On Tue, Oct 24, 2023 at 9:46 AM Serge E. Hallyn wrote:
> > > > On Sun, Dec 18, 2022 at 08:29:10PM +0100, Stef
On Tue, Oct 24, 2023 at 10:18 AM Serge E. Hallyn wrote:
> On Tue, Oct 24, 2023 at 10:14:29AM -0400, Paul Moore wrote:
> > On Tue, Oct 24, 2023 at 9:46 AM Serge E. Hallyn wrote:
> > > On Sun, Dec 18, 2022 at 08:29:10PM +0100, Stefan Bavendiek wrote:
> > > > When building userspace application sand
On Tue, Oct 24, 2023 at 10:14:29AM -0400, Paul Moore wrote:
> On Tue, Oct 24, 2023 at 9:46 AM Serge E. Hallyn wrote:
> > On Sun, Dec 18, 2022 at 08:29:10PM +0100, Stefan Bavendiek wrote:
> > > When building userspace application sandboxes, one issue that does not
> > > seem trivial to solve is th
Thanks for the reply. Do you have any papers which came out of this r&d
phase? Sounds very interesting.
> Multiple NS' sharing an IP stack would exhaust ephemeral ranges faster
Yes, but that could be a feature. I think of it as: I'm unprivileged
user serge, and I want to fire off firefox in a
On Tue, Oct 24, 2023 at 9:46 AM Serge E. Hallyn wrote:
> On Sun, Dec 18, 2022 at 08:29:10PM +0100, Stefan Bavendiek wrote:
> > When building userspace application sandboxes, one issue that does not seem
> > trivial to solve is the isolation of abstract sockets.
>
> Veeery late reply. Have you ha
On Sun, Dec 18, 2022 at 08:29:10PM +0100, Stefan Bavendiek wrote:
> When building userspace application sandboxes, one issue that does not seem
> trivial to solve is the isolation of abstract sockets.
Veeery late reply. Have you had any productive discussions about this in
other threads or venue
15 matches
Mail list logo
