[Fedora 15/19] kexec: Export sysfs attributes for secureboot and secure modules to user space
Matthew Garrett
matthew.garrett at nebula.com
Thu Sep 5 14:40:39 UTC 2013
On Wed, 2013-09-04 at 20:49 -0400, Vivek Goyal wrote:
> I did what Eric Biederman suggested. I first unshare the mount namespace
> of /sbin/kexec from parent. Then I disable any event propogation between
> mounts. Then I lazy unmount existing /proc and /sys and remount them. I
> think this should make sure that we are seeing at /proc and /sys as
> exported by kenrel?
Namespaces have mostly been used with the assumption that namespaces
contain child processes, rather than parent processes attacking
children. Are we guaranteed that (barring ptrace) a parent process is
unable to manipulate a child's namespaces?
--
Matthew Garrett <matthew.garrett at nebula.com>
More information about the kernel
mailing list