I am trying to create a sandbox using Linux namespaces. I found a neat example in https://github.com/swetland/mkbox , which roughly does what I want, but I would like for the trustworthy / proc to appear inside the sandbox. How can i do this?
I tried to associate the proc FS installation with "proc", but that is not with EINVAL. When I try to install "proc" normally, this gives EPERM.
ideas?
The local guru understood this for me: proc should use the MS_REC flag (undocumented?), For example:
ok(mount, "/proc", "proc", NULL, MS_REC|MS_BIND, NULL);
- , CLONE_PIDNS , .
, , , EPERM , CLONE_NEWUSER | CLONE_NEWNS, CLONE_NEWPID. , proc CAP_SYS_ADMIN , PID, .
EPERM
CLONE_NEWUSER | CLONE_NEWNS
CLONE_NEWPID
proc
CAP_SYS_ADMIN
Linux 4.4, fs/proc/root.c, 112-117:
fs/proc/root.c
ns = task_active_pid_ns(current); options = data; /* Does the mounter have privilege over the pid namespace? */ if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) return ERR_PTR(-EPERM);
Source: https://habr.com/ru/post/1538928/More articles:Change font with text change notification in android - androidProgram Wave with Javascript - javascripthttps://translate.googleusercontent.com/translate_c?depth=1&pto=aue&rurl=translate.google.com&sl=ru&sp=nmt4&tl=en&u=https://fooobar.com/questions/1538925/forcing-users-to-change-their-password-after-a-number-of-days-with-railsdevise&usg=ALkJrhg_sdkPATJLSOfnPyYHwm9yoEVDLgIs there a way to improve the execution of Xcode code? - xcodeThe same shaders behave differently on Nvidia and ATI cards - c ++Simulate a failed bash script - bashTrack changes in JSON files - jsonrbenv - Ruby 2.1.1 compilation error - ruby | fooobar.comКак я могу программным образом изменить "Не добавлять пробел между абзацами одного и того же стиля"? - vbaGetting return value from generator in Node JS - javascriptAll Articles