From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Wed 24 Oct 2001 - 07:31:08 BST
I have looked at the LSM and it seems to be the thing we need (and
potentially a thing I need to complete my virtualfs
http://www.solucorp.qc.ca/virtualfs project)
Currently, the LSM is about security; The blob concept is useful and
can replace the context_info structure I am currently using.
I found some feature missing in relation with the vserver project. In no
precise order
The hooks are generally of the form
ret = security-hooks(...);
if (!ret){
Ok, we are allowed to do the job
}
In some case, it would be useful to allow override
int done = 0;
ret = security-hooks (&done,...);
if (!ret && !done){
...
}
This seems like featurism for the security module, but this can be an issue
for the vserver project. For example, the current kernel patch provides
a per vserver hostname. This is probably doable in user space (modifying
glibc somewhat maybe), but might not be as robust. Several utilities
relies on the hostname to initialise some default. We want vserver to
be as real as possible.
The vserver patch provides a modified view of the processes in /proc. How
can this be build right now ?.
---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc