| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2023-02-10 | Simplify the PID namespace check: just try to mount /proc | Eelco Dolstra | |
| Fixes #7783. | |||
| 2023-02-07 | Print debug message if a namespace test fails | Eelco Dolstra | |
| 2023-02-07 | Fix macOS build | Eelco Dolstra | |
| 2023-02-07 | Check whether we can use PID namespaces | Eelco Dolstra | |
| In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible. | |||
| 2023-02-07 | Fix auto-uid-allocation in Docker containers | Eelco Dolstra | |
| This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13). | |||
 |
index : lix | |
| User & |
| aboutsummaryrefslogtreecommitdiff |