ee818b89f4890b3a00e93772249fce810f60811e |
|
18-May-2015 |
Alban Crequy <alban@endocode.com> |
core: Private*/Protect* options with RootDirectory
When a service is chrooted with the option RootDirectory=/opt/..., then
the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.
The test-ns tool can test setup_namespace() with and without chroot:
$ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns
$ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns |
a610cc4f18c24a007e5a2cac21b2ecbd81e5f3c3 |
|
08-Sep-2014 |
Daniel Mack <zonque@gmail.com> |
namespace: add support for custom kdbus endpoint
If a path to a previously created custom kdbus endpoint is passed in,
bind-mount a new devtmpfs that contains a 'bus' node, which in turn in
bind-mounted with the custom endpoint. This tmpfs then mounted over the
kdbus subtree that refers to the current bus.
This way, we can fake the bus node in order to lock down services with
a kdbus custom endpoint policy. |