[libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

Eric Blake eblake at redhat.com
Mon Dec 22 15:12:33 UTC 2014


On 12/21/2014 08:57 PM, Chen Hanxiao wrote:

s/namespce/namespace/ in the subject line

> If we enabled user ns and provided a uid/gid map,
> we do not need to mount /proc, /sys as readonly.
> Leave it to kernel for protection.
> 
> Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> ---
>  src/lxc/lxc_container.c | 6 ++++++
>  1 file changed, 6 insertions(+)

I'll leave the actual patch review to someone more familiar with LXC
namespace setups


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141222/531fdcf0/attachment-0001.sig>


More information about the libvir-list mailing list