Alan Cox writes:
>> At least with a recent modern distro I can't imagine this to be an
>> issue. I expect we could have a kernel build option that removed the
>> mknod system call and a modern distro wouldn't notice.
>
> A few things beyond named pipes will break. PCMCIA I believe still
> depend
Serge Hallyn writes:
>>> That's what I said a few emails ago :) The device cgroup was meant as
>>> a short-term workaround for lack of user (and device) namespaces.
>>
>> I am saying something stronger. The device cgroup doesn't seem to have
>> a practical function now.
>
> "Now" is wrong. The
On 09/16/2012 09:23 AM, Eric W. Biederman wrote:
Serge Hallyn writes:
On 09/16/2012 07:17 AM, Eric W. Biederman wrote:
ebied...@xmission.com (Eric W. Biederman) writes:
Alan Cox writes:
One piece of the puzzle is that we should be able to allow unprivileged
device node creation and acces
> At least with a recent modern distro I can't imagine this to be an
> issue. I expect we could have a kernel build option that removed the
> mknod system call and a modern distro wouldn't notice.
A few things beyond named pipes will break. PCMCIA I believe still
depends on ugly mknod hackery of
Serge Hallyn writes:
> On 09/16/2012 07:17 AM, Eric W. Biederman wrote:
>> ebied...@xmission.com (Eric W. Biederman) writes:
>>
>>> Alan Cox writes:
>>>
> One piece of the puzzle is that we should be able to allow unprivileged
> device node creation and access for any device on any files
On 09/16/2012 07:17 AM, Eric W. Biederman wrote:
ebied...@xmission.com (Eric W. Biederman) writes:
Alan Cox writes:
One piece of the puzzle is that we should be able to allow unprivileged
device node creation and access for any device on any filesystem
for which it unprivileged access is saf
ebied...@xmission.com (Eric W. Biederman) writes:
> Alan Cox writes:
>
>>> One piece of the puzzle is that we should be able to allow unprivileged
>>> device node creation and access for any device on any filesystem
>>> for which it unprivileged access is safe.
>>
>> Which devices are "safe" is p
Alan Cox writes:
>> One piece of the puzzle is that we should be able to allow unprivileged
>> device node creation and access for any device on any filesystem
>> for which it unprivileged access is safe.
>
> Which devices are "safe" is policy for all interesting and useful cases,
> as are file p
> One piece of the puzzle is that we should be able to allow unprivileged
> device node creation and access for any device on any filesystem
> for which it unprivileged access is safe.
Which devices are "safe" is policy for all interesting and useful cases,
as are file permissions, security tags,
Quoting Eric W. Biederman (ebied...@xmission.com):
>
> Thinking about this a bit more I think we have been asking the wrong
> question.
>
> I think the correct question should be: How do we safely allow for
> unprivileged creation of device nodes and devices?
>
> One piece of the puzzle is that
Thinking about this a bit more I think we have been asking the wrong
question.
I think the correct question should be: How do we safely allow for
unprivileged creation of device nodes and devices?
One piece of the puzzle is that we should be able to allow unprivileged
device node creation and ac
Quoting Eric W. Biederman (ebied...@xmission.com):
> "Serge E. Hallyn" writes:
>
> > Quoting Aristeu Rozanski (a...@ruivo.org):
> >> Tejun,
> >> On Thu, Sep 13, 2012 at 01:58:27PM -0700, Tejun Heo wrote:
> >> > memcg can be handled by memcg people and I can handle cgroup_freezer
> >> > and ot
12 matches
Mail list logo
