On Thu, Oct 24, 2019 at 11:26:11AM +0100, Daniel P. Berrangé wrote:
> On Wed, Oct 16, 2019 at 05:01:57PM +0100, Stefan Hajnoczi wrote:
> It might be useful to call prctl(PR_SET_PDEATHSIG) here, so that
> if the parent process exits for any reason, the child will be killed
> off too.
[...]
> I feel
On Wed, Oct 16, 2019 at 05:01:57PM +0100, Stefan Hajnoczi wrote:
> virtiofsd needs access to /proc/self/fd. Let's move to a new pid
> namespace so that a compromised process cannot see another other
> processes running on the system.
>
> One wrinkle in this approach: unshare(CLONE_NEWPID) affects
* Stefan Hajnoczi (stefa...@redhat.com) wrote:
> virtiofsd needs access to /proc/self/fd. Let's move to a new pid
> namespace so that a compromised process cannot see another other
> processes running on the system.
>
> One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child*
> process
