From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: CGroup Namespaces (v4) Date: Wed, 18 Nov 2015 03:18:44 -0600 Message-ID: <87r3jnfyx7.fsf@x220.int.ebiederm.org> References: <1447703505-29672-1-git-send-email-serge@hallyn.com> <20151116204606.GA30681@mail.hallyn.com> <564A41AF.4040208@nod.at> <20151116205452.GA30975@mail.hallyn.com> <87y4dxh9b8.fsf@x220.int.ebiederm.org> <20151118023022.GA17501@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20151118023022.GA17501-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> (Serge E. Hallyn's message of "Tue, 17 Nov 2015 20:30:22 -0600") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: Richard Weinberger , Linux Containers , LKML , LXC development mailing-list , "open list:ABI/API" , Tejun Heo , cgroups mailinglist , Andrew Morton List-Id: linux-api@vger.kernel.org "Serge E. Hallyn" writes: > On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote: >> Similary have you considered what it required to be able to safely set >> FS_USERNS_MOUNT? > > I pushed the one patch which I feel is needed to my branch (it's also > included in another reply). Aditya had already added FS_USERNS_MOUNT to > the cgroup fs flags, so I think we're now all set. I can start > unprivileged containers which mount cgroupfs (which make systemd happy). In principle that sounds very good, and I am glad to see that. Let's hold off on merging the unprivileged part until everything else is reviewed and merged and we have performed an extra hard look at the security implications as it can be easy to overlook something when relaxing the permissions. Eric