On Sun, Jan 04, 2009 at 12:48:08AM -0500, erik quanstrom wrote:
> > > '#p'
> > > allows any of my namespaces to debug processess in any other, '#s' is too
> > > global, and /net seems to allow any of my processes to manipulate any of my
> > > other processes' network connections (though I've not tested in detail to
> > > see what's possible.)
> > 
> > So you're saying that (a) a jailed process should not have access to
> > the #-devices at all and (b) their equivalent /proc, /srv and /net
> > ought to be configured as part of the jail and should not be
> > modifiable.
> 
> there is no special exception for #s, #I or #l.  these cases are handled
> already.

RFNOMNT has been brought up repeatedly and, while it's certainly better than
nothing, it is too harsh!  It simultaneously:
  -> restricts access to kernel devices via # paths
  -> prevents any and all additional mount requests.

Constructing a namespace without RFNOMNT that does not have #s (say) bound
is not really securing #s (and its other consumers) against that namespace's
actions.  Constructing a namespace with RFNOMNT and without #s bound does
at least two bad things:
  -> it makes it impossible to pass fds around between processes in this
     namespace, as there is now no /srv backing.
  -> it prohibits import of additional resources.

The claim is that it might be useful to have namespaces where the mount
table remained open to additional mounts (etc.) but for which the magic
shortcut and proxy circumvention mechanism of #X was not available.

--nwf;