| 1 |
On Mon, Oct 14, 2013 at 2:58 PM, David Leverton |
| 2 |
<levertond@××××××××××.com> wrote: |
| 3 |
> |
| 4 |
> If only someone would invent some sort of kernel feature that could make the |
| 5 |
> name "/etc/mtab" refer to different files in different processes.... |
| 6 |
> |
| 7 |
|
| 8 |
Well, the symlink seems like the simpler solution to be honest. I |
| 9 |
mean, instead of having the ps command to list running processes you |
| 10 |
could just have a daemon dump the list in a file every 10 seconds and |
| 11 |
have programs read it, but... |
| 12 |
|
| 13 |
However, FWIW, linux namespaces cannot be used to have only a single |
| 14 |
file appear differently to different processes. Mount namespaces can |
| 15 |
only operate at the directory level. |
| 16 |
|
| 17 |
I was actually looking into using namespaces as an alternative to the |
| 18 |
sandbox model portage currently uses. Basically you'd look at a |
| 19 |
package's DEPENDs and build a namespace containing only those files, |
| 20 |
and now devs don't inadvertently add ebuilds that are missing DEPENDs. |
| 21 |
|
| 22 |
A bit of a tangent, but the sandbox functionality in portage CAN be |
| 23 |
used to do just this with somewhat little effort. I've just never |
| 24 |
gotten around to trying it out. By default sandbox is told to give |
| 25 |
read-access to everything - the sandbox command does restrict both |
| 26 |
reads and writes already and if that configuration were made dynamic |
| 27 |
and set by portage per-package it would work just fine. I just |
| 28 |
figured namespaces would be a more elegant solution (it is also more |
| 29 |
secure, but security isn't really a concern here). |
| 30 |
|
| 31 |
Rich |
Archives