Comment 11 for bug 1639345
Revision history for this message
| Roman Fiedler (roman-fiedler-deactivatedaccount) wrote | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
OK, but sounds complicated.
I'm not sure if that could work, but what about...
* Create a helper mount namespace from init-ns where everything needed after setns(guestns) is bind-mounted and where everything else is unmounted. Not sure if chroot/pivot_root would be needed here to cleanup.
* Open a directory fd to the root of this helper mountns
* Enter the final user/mount ns as implemented now. This should work even when guest-ns is not parent of helper-ns as process is privileged in init-ns (not 100% sure about that). The helper-ns would not be the mount ns of any living process any more and should be purged, when the directory fd is closed.
* After entering the guestns process has only limited means to modify the content in the helper-ns as it does not live in the parent-ns of the helper-ns.
Could that be a generic concept to get around the sequence of clone() calls?