[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] libxl: fix build on rather old systems

Juergen Gross writes ("Re: [PATCH] libxl: fix build on rather old systems"):
> On 11/01/2019 11:09, Jan Beulich wrote:
> > CLONE_NEWIPC has been introduced in Linux 2.6.19 only (and into glibc
> > at around that time as well). Cope with it being undefined as well as
> > with the underlying kernel not knowing of it.
> > 
> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> Release-acked-by: Juergen Gross <jgross@xxxxxxxx>

I know I am too slow with this, but for the record:

Nacked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

On two grounds:

 1. This situation should be handled by disabling the dm restrict
    feature, not silently falling back to lower protection.

 2. Style, #ifdeffery.

I don't agree that the unshare of the IPC namespace is a `nice to
have'.  Without it, a rogue qemu might be able to do a number of bad
things.

Background: AIUI in kernels without CLONE_NEWIPC, the IPC namespace is
shared with the network namespace.  But of course what matters is what
the *runtime* kernel supports, not the build-time kernel.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.