[Devel] Re: user namespaces config option

Serge E. Hallyn serue at us.ibm.com
Thu Aug 16 04:56:36 PDT 2007


Quoting Pavel Emelyanov (xemul at openvz.org):
> Hi, Cedric, Serge.
>
> I have noticed, that you have removed config options for
> uts and ipc namespaces but kept one for user namespace.
>
> What's the policy about what namespaces should have config
> option? I thought, that the only code that is worth having
> under option is clone/destroy one to save .text size for
> people who don't need them (embedded).

The user namespaces are under a config and marked experimental because
uid-based permission checks do not take namespaces into account and the
root user in a namespace is not at all controlled.  You can handle the
security implications using selinux, but I guess the fear is that people
would assume uid namespaces do more than they currently do.

-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list