Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
- From: Kenton Varda <kenton sandstorm io>
- To: Alexander Larsson <alexl redhat com>
- Cc: gnome-os-list gnome org, Linux Containers <containers lists linux-foundation org>, "linux-kernel vger kernel org" <linux-kernel vger kernel org>, Andy Lutomirski <luto amacapital net>, James Bottomley <James Bottomley hansenpartnership com>, mclasen redhat com, "Eric W. Biederman" <ebiederm xmission com>, Linux FS Devel <linux-fsdevel vger kernel org>
- Subject: Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options
- Date: Thu, 28 May 2015 13:17:30 -0700
On Thu, May 28, 2015 at 1:06 PM, Alexander Larsson <alexl redhat com> wrote:
On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote:
Where does the second namespace enter into this?
Step a. Create create a user namespace where uid 0 is mapped to your
real uid, and set up your sandbox (aka mount /dev/pts and everything
else).
Step b. Create a nested user namespace where your uid is identity
mapped and run your desktop application. You can even drop all caps
in
your namespace.
Just tried this. Its not the nicest, and it doubles the number of
namespaces in action for each sandbox, but it does work.
How much overhead is involved in each user namespace? Is there any
system-wide limit on total namespaces, other than RAM? Is there
(non-negligible) CPU overhead for each syscall seeking permissions in
the namespace?
-Kenton
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
