On 10/26/2018 03:00 PM, Ian Jackson wrote:
> Thanks, just tiny comments on this.
>
> George Dunlap writes ("[PATCH 3/5] tools/dm_restrict: Unshare mount and IPC
> namespaces on Linux"):
>> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
>> index 385643b52c..702ea75149 100644
>> ---
Thanks, just tiny comments on this.
George Dunlap writes ("[PATCH 3/5] tools/dm_restrict: Unshare mount and IPC
namespaces on Linux"):
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index 385643b52c..702ea75149 100644
> --- a/tools/libxl/libxl_dm.c
> +++
QEMU running under Xen doesn't need mount or IPC functionality.
Create and enter separate namespaces for each of these before
executing QEMU, so that in the event that other restrictions fail, the
process won't be able to even name system mount points or exsting
non-file-based IPC descriptors to
