On 31.12.2014 01:56, Jude Nelson wrote: Hi,
> A much more elegant solution would be to give each session its own > /dev like you were originally saying--it would allow users to > interact with different devices under the same name, while also > preserving POSIX filesystem semantics. Yes, I really think, separate namespaces are the correct way to do. Actually, I didn't even think about ACLs (which introduce extra dimensions orthogonal to the filesystem tree), but doing everything via separate /dev namespaces. One interesting question here is whether we should do our own namespacing (within vdev itself), or just use the kernel infrastructure for that. (by the way: does anybody here know how other kernels, like *bsd handle namespaces ?) Maybe we could go through some scenarios, where you'd currently use ACLs and check whether they could be done better w/ namespaces. (in fact, I prefer not to use ACLs, due to additional complexity) One example is session isolation: here I'm pretty sure that, on login or session start, a proper namespace should be constructed, before calling the login shell is started. Do you see any reason for not going that way ? By the way: does vdev's ACL handling also allow revoking permissions to some device even on already opened fd's ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287 _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
