From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 31670 invoked from network); 4 May 2022 16:18:07 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 4 May 2022 16:18:07 -0000
Received: from gaff.inri.net ([168.235.71.243]) by 9front; Wed May  4 12:15:55 -0400 2022
Received: from smtpclient.apple ([104.59.85.219]) by gaff; Wed May  4 12:15:55 -0400 2022
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Stanley Lieber <sl@stanleylieber.com>
Mime-Version: 1.0 (1.0)
Message-Id: <083AFE4C-A6CF-4926-BCE6-DD97DE0B4915@stanleylieber.com>
References: <FBF70FE6D65D7182A5EB87FB180CED05@eigenstate.org>
In-Reply-To: <FBF70FE6D65D7182A5EB87FB180CED05@eigenstate.org>
To: 9front@9front.org
Date: Wed, 4 May 2022 12:15:54 -0400
X-Mailer: iPhone Mail (19E258)
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: deep-learning callback-oriented layer 
Subject: Re: [9front] [PATCH] Unmount to remove sharp devices.
Reply-To: 9front@9front.org
Precedence: bulk

this is very welcome.

one problem with getting rid of mounts and binds is programs that use mounts=
 and binds.

sl

> On May 4, 2022, at 11:32 AM, ori@eigenstate.org wrote:
>=20
> =EF=BB=BFQuoth Jacob Moody <moody@mail.posixcafe.org>:
>> Hello,
>>=20
>> This patch allows processes to unmount sharp devices to prevent itself an=
d its children from accessing
>> them. This is implemented through an internal rework of how RFNOMNT works=
, making RFNOMNT a special
>> case of setting disallowed devices. To replicate the mount blocking funct=
ionality of RFNOMNT a special
>> case is given for blocking devmnt, which also blocks the process and its c=
hildren from making any mount
>> calls.
>>=20
>> If everything passes the sniff test I can commit these changes. Diff is h=
ere: http://okturing.com/src/13574/body and included
>> below.
>>=20
>> Thanks,
>> moody
>>=20
>=20
> also -- are there places that you want to take
> advantage of this within the system? It'd be
> good to use the feature, rather than just having
> it sit around.
>=20
> git/serve? rc-httpd? maybe some other daemons
> could use some sandboxing.
>=20
>=20