| 1 |
On Mon, 12 May 2014 11:39:10 +0200 |
| 2 |
Tom Wijsman <TomWij@g.o> wrote: |
| 3 |
|
| 4 |
> On Mon, 12 May 2014 00:47:17 -0600 |
| 5 |
> Ryan Hill <rhill@g.o> wrote: |
| 6 |
> |
| 7 |
> > > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and |
| 8 |
> > > kills all of them once phase exits (prevents leaving orphans), |
| 9 |
> > > |
| 10 |
> > > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate |
| 11 |
> > > IPC namespace, preventing them from interfacing other system |
| 12 |
> > > services via IPC (message queues, semaphores, shared memory), |
| 13 |
> > > |
| 14 |
> > > 3. network-sandbox -- puts all processes spawned by ebuild to |
| 15 |
> > > a separate network namespace with a private loopback interface, |
| 16 |
> > > preventing them from interfacing other system services, local |
| 17 |
> > > network and the Internet. |
| 18 |
> > |
| 19 |
> > All three of these require kernel support. It might be a good idea |
| 20 |
> > to add the needed options to that Gentoo Linux menu we have in |
| 21 |
> > gentoo-sources and enable them by default. |
| 22 |
> |
| 23 |
> Right, this skipped my mind when I enabled them yesterday; this should |
| 24 |
> be documented, as well as have Portage check for missing support and |
| 25 |
> test it and bail out with a proper error message if it doesn't already. |
| 26 |
> |
| 27 |
> Which options are these in particular? I'll cook a patch with them. |
| 28 |
|
| 29 |
I believe they are CONFIG_IPC_NS, CONFIG_NET_NS, and CONFIG_CGROUPS. |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
Ryan Hill psn: dirtyepic_sk |
| 34 |
gcc-porting/toolchain/wxwidgets @ gentoo.org |
| 35 |
|
| 36 |
47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 |
Archives