On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift <dac.overr...@gmail.com> wrote:
> On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote: > > > > > Do they have access to `cat /proc/self/mounts`? > > Ouch yes... ok that is a dead end i suppose Right. That was my point. Restricting individual commands like `mount` is no good if you can't restrict the actual mechanism they all use… Mount namespaces might help here, as long as you don't use udisks/udisks2 (which, aside from leaking the same information, wouldn't even function correctly with per-user namespaces). [Though I don't really understand the point of hiding logged-in UIDs at all... Isn't hidepid=2 enough?] -- Mantas Mikulėnas <graw...@gmail.com>
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel