Juergen Gross writes ("Re: [PATCH] libxl: fix build on rather old systems"):
> On 11/01/2019 11:09, Jan Beulich wrote:
> > CLONE_NEWIPC has been introduced in Linux 2.6.19 only (and into glibc
> > at around that time as well). Cope with it being undefined as well as
> > with the underlying kernel not knowing of it.
> >
> > Signed-off-by: Jan Beulich <[email protected]>
>
> Release-acked-by: Juergen Gross <[email protected]>
I know I am too slow with this, but for the record:
Nacked-by: Ian Jackson <[email protected]>
On two grounds:
1. This situation should be handled by disabling the dm restrict
feature, not silently falling back to lower protection.
2. Style, #ifdeffery.
I don't agree that the unshare of the IPC namespace is a `nice to
have'. Without it, a rogue qemu might be able to do a number of bad
things.
Background: AIUI in kernels without CLONE_NEWIPC, the IPC namespace is
shared with the network namespace. But of course what matters is what
the *runtime* kernel supports, not the build-time kernel.
Ian.
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
