[Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space

[Matthew Garrett]

On Wed, 2013-09-04 at 20:49 -0400, Vivek Goyal wrote:

> I did what Eric Biederman suggested. I first unshare the mount namespace
> of /sbin/kexec from parent. Then I disable any event propogation between
> mounts. Then I lazy unmount existing /proc and /sys and remount them. I 
> think this should make sure that we are seeing at /proc and /sys as
> exported by kenrel?

Namespaces have mostly been used with the assumption that namespaces
contain child processes, rather than parent processes attacking
children. Are we guaranteed that (barring ptrace) a parent process is
unable to manipulate a child's namespaces?

-- 
Matthew Garrett <matthew.garrett at nebula.com>