Re: [libvirt] [systemd-devel] [PATCH] netns: unix: only allow to find out unix socket in same net namespace
On Wed, Aug 21, 2013 at 11:51:53AM +0200, Kay Sievers wrote:
On Wed, Aug 21, 2013 at 9:22 AM, Gao feng
<gaofeng(a)cn.fujitsu.com> wrote:
> On 08/21/2013 03:06 PM, Eric W. Biederman wrote:
>> I suspect libvirt should simply not share /run or any other normally
>> writable directory with the host. Sharing /run /var/run or even /tmp
>> seems extremely dubious if you want some kind of containment, and
>> without strange things spilling through.
Right, /run or /var cannot be shared. It's not only about sockets,
many other things will also go really wrong that way.
Libvirt already allows the app defining the container config to
set private mounts for any directory including /run and /var.
If an admin or app wants to run systemd inside a container, it is
their responsibility to ensure they setup the filesystem in a
suitable manner. Libvirt is not going to enforce use of a private
/run or /var, since that's a policy decision for a specific
use case.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|