Re: integration with LSM ?

About this list Date view Thread view Subject view Author view Attachment view

From: Kyle Hayes (khayes_at_quicknet.net)
Date: Wed Oct 24 2001 - 13:28:34 EDT


On Tuesday 23 October 2001 18:47, Chris Wright wrote:
> > One minor nitpick, 'vserver <foo> build' could use 'mount --bind'
> > on the 2.4 kernels; this would save both disk space and memory use,
> > and 'mount --bind' also accepts options like read only mounts so
> > root inside the vservers cannot mess with the files.
>
> mount --bind does not honor mount flags, must remount to change
> flags. also, readonly is per superblock, so you can't have something
> that is writable in one mount and readonly in another, fwiw.

Hmm, it would sure be nice if the readonly flag was associated with the mount
point in some manner rather than the superblock. That would let me do things
like leave all of /usr etc. as is, but mount it readonly in the vserver
directory. Then, I could use the normal RPM or other package tools to change
and update the stuff in /usr, but the vserver couldn't overwrite or change
anything itself. Wasn't there something on the kernel list about this kind
of change to the inner workings of mount a while back? Am I just not
remembering this correctly?

This vserver thing looks very nice. It may be the solution to some problems
we were having with a chroot-based design. It was getting rather hard to
lock down access to the outside world in a controlled way.

Best,
Kyle

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MicroTelco Services saves money on every Fax:
- Fax to email (FREE)
- Fax to PSTN based Fax (Up to 95% Savings)
- Fax Broadcasting: Send 100s of faxes to fax machines
and email addresses in the time it takes to send just one!
===========================================================
    So send a fax today and let us know what you think! 
       For more info. visit: www.internetfaxjack.com
===========================================================

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT