:: Re: [Dng] Device management [WAS: s…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Enrico Weigelt, metux IT consult
日付:  
To: Jude Nelson
CC: dng@lists.dyne.org
題目: Re: [Dng] Device management [WAS: system scriptinng language.]
On 31.12.2014 01:56, Jude Nelson wrote:

Hi,

> A much more elegant solution would be to give each session its own
> /dev like you were originally saying--it would allow users to
> interact with different devices under the same name, while also
> preserving POSIX filesystem semantics.


Yes, I really think, separate namespaces are the correct way to do.

Actually, I didn't even think about ACLs (which introduce extra
dimensions orthogonal to the filesystem tree), but doing everything
via separate /dev namespaces.

One interesting question here is whether we should do our own
namespacing (within vdev itself), or just use the kernel infrastructure
for that. (by the way: does anybody here know how other kernels,
like *bsd handle namespaces ?)

Maybe we could go through some scenarios, where you'd currently use
ACLs and check whether they could be done better w/ namespaces.
(in fact, I prefer not to use ACLs, due to additional complexity)

One example is session isolation: here I'm pretty sure that, on login
or session start, a proper namespace should be constructed, before
calling the login shell is started. Do you see any reason for not
going that way ?

By the way: does vdev's ACL handling also allow revoking permissions
to some device even on already opened fd's ?


cu
--
Enrico Weigelt,
metux IT consulting
+49-151-27565287