From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de)
Date: Fri 10 Oct 2003 - 19:12:48 BST
jack_at_solucorp.qc.ca (Jacques Gelinas) writes:
>> * check if current-ctx is a parent-ctx when trying to enter an
>> existing context (go back the parent_ctx fields)
>
> This is an option, but we have to limit the amount of security context
> a vserver is allowed to create.
Should not be a big problem: remove the s_context[] array from 'struct
context_info' and replace it with an 'int ctx_limit' counter.
Creating a new context will call reserveContext() which is implemented
similarly to:
| int reserveContext(struct context_info *ctx)
| {
| if (ctx==0) return 0;
| if (ctx->ctx_limit==0 || reserveContext(ctx->parent)==-1)
| return -EPERM;
| --ctx->ctx_limit;
| return 0;
| }
The ctx->ctx_limit value is initialized to min(current_ctx->ctx_limit,
wanted_limit).
>> * remove the supervisor-ctx-1 concept; every ctx can see the processes
>> of its child-contexts
>
> No this is dangourous. Currently a root server can't clearly differentiate
> its own stuff from all vserver. So we need this. Using killall is handy and it
> would become a nightmare.
Two solutions:
* allow kill/ptrace only on processes of current ctx (similarly to current
ctx-1 method); this will break some tools (e.g. RH initscripts) probably.
* add new S_CTX_INFO_xxx flag which makes processes of parent-ctx and
children visible
Enrico