might look into CUSE and BUSE (http://bryanpendleton.blogspot.com/2011/02/fuse-cuse-and-uio.html has links)
Quoting Brian Allen Vanderburg II ([email protected]): > I didn't know where to post this but I had an idea, most likely of > little use but I thought I would put it out there. Part of this idea is > inspired by FUSE, which allows creating a user space filesystem but also > takes care of basic security such as not allowing SUID. > > I had an idea for a DUSE - Device driver in user space. This would > probably not work without some sort of kernel support as well. Like > FUSE, a DUSE application gets run by a normal user, and if that user is > a member of the duse group, that user can create device files. For > security the device files can not be created under the host /dev, but > could be created under a different location which would eventually > become the container's /dev. Any reads and writes to the device file, > and IOCTL calls would be directed to the application. The device file > gets created as the launching user/group. > > lxc-device simply make a device available within a container. This a > couple allow several potential features. First, a DUSE application > could be created to function as a filter before interacting in some way > with the host. A virtual device could be exposed to a container, but > any interactions with that device from the container are monitored and > only certain interactions may be allowed to pass through and interact > with the host. How this works would be device specific. Second, a DUSE > application could provide a device that doesn't actually exist, a > virtual device. Finally, such a feature might have use outside of > containers as well. > > To support this within a container, special configurations could be > specified which would allow launching of the DUSE application as a > specific user after any user namespaces are set up, but before the rest > of the container is set up. This would launch the application from the > host filesystem before any mount point changes, but allow specifying > which user,group the device file is owned as and what permissions are > set on the device file. > > > Brian Allen Vanderburg II > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
