On Mon, Oct 15, 2018 at 10:22 AM Jann Horn <[email protected]> wrote: > > On Mon, Oct 15, 2018 at 7:10 PM <[email protected]> wrote: > > Following commit disables the creation of user namespace inside > > the chroot environment. > > > > userns: Don't allow creation if the user is chrooted > > > > commit 3151527ee007b73a0ebd296010f1c0454a919c7d > > > > Consider a system in which a non-root user creates a combination > > of user, pid and mount namespaces and confines a process to it. > > The system will have multiple levels of nested namespaces. > > The root namespace in the system will have lots of directories > > which should not be exposed to the child confined to the set of > > namespaces. > > > > Without chroot, we will have to hide all unwanted directories > > individually using bind mounts and mount namespace. > > IMO what you really should be doing is to create a tmpfs, bind-mount > the directories you want into it, and then pivot_root() into that, not > the other way around.
Indeed. Or you can just recursive bind-mount the subtree you want and then pivot_root() into it. --Andy
