On Thu, 23.01.14 13:54, Ben Boeckel (maths...@gmail.com) wrote: > Hi, > > As I mused on LWN[1] recently, I was wondering whether it was possible > to have user units be able to hook into namespaces (namely the > PrivateNetwork= and PrivateTmp= from systemd.exec(5) and more if other > namespacing options are added in the future).
WHat to you mean by "user units"? THose run off an unprivileged "systemd --user" instance? Or those run off PID 1 but with User= set? Note that the whole namespacing thing is only available from systemd instances that themesleves are privileged, i.e. only from PID 1... > - ability for a system service to expose what namespace it just > created (to avoid the set-environment hackery above); > - a directive to list users and groups allowed to enter into > namespaces created in a unit (something like > "ExposeNamespaceToUsers=group:vpn,wheel" maybe?); and > - a way for a systemd --user to get namespace file descriptors from > PID 1. The privileges thing is quite limiting. Joining namespces from unprivileged code is hard... You need some kind of setuid binary transition there, but I wouldn't see how you would make that happen... And the complexity gives me headaches... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel