On Fri, Sep 30, 2016 at 03:15:59PM +0200, Miroslav Suchý wrote:
Hi, I am investigating https://bugzilla.redhat.com/show_bug.cgi?id=1336750 and honestly I'm not sure what is the right solution.
Right now we use unshare() for CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC.
I can detect if mock is running inside of container and then skip those unshare. But... What if I am running there some application *and* mock. In the same container. That can be risky. However we can just document it and let the user shoot into its own leg.
Is there some example of application that might happen to run next to mock? Running multiple applications in container is typically not trivial, so user might make an extra effort to achieve that setup.
Can't just just check that you are pid 1 in the container and be happy with that, if you want some safeguards?