Re: [PATCH] devpts: Add ptmx_uid and ptmx_gid options



On Thu, May 28, 2015 at 1:06 PM, Alexander Larsson <alexl redhat com> wrote:
On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote:

Where does the second namespace enter into this?

Step a.  Create create a user namespace where uid 0 is mapped to your
real uid, and set up your sandbox (aka mount /dev/pts and everything
else).

Step b.  Create a nested user namespace where your uid is identity
mapped and run your desktop application.  You can even drop all caps
in
your namespace.

Just tried this. Its not the nicest, and it doubles the number of
namespaces in action for each sandbox, but it does work.

How much overhead is involved in each user namespace? Is there any
system-wide limit on total namespaces, other than RAM? Is there
(non-negligible) CPU overhead for each syscall seeking permissions in
the namespace?

-Kenton


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]