Re: Sandbox thoughts



On Tue, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote:

 - setuid / privileged helper.  Why do you need a privileged helper?
You should be able to do all of this using user namespaces.  The
Sandstorm code linked above does exactly this.

I tried this a bit, but i ran into two snags i don't understand.

First of all, as uid/gid 1000 i can put "1000 1000 1"
in /proc/self/uid_map from the child. However, i cannot put "1000 1000
1" into gid_map, as i get EPERM.
I don't understand this, is this not supposed to work?

Secondly, i'm failing to mount another instance of devpts. It fails with
EINVAL.

I've attached some sample code that shows these two errors (that i get
on Fedora 21, with kernel 3.18.3-201.fc21.x86_64.
Any help here would be appreciated...

Attachment: test-user.c
Description: Text Data



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]