From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Weinberger Subject: Re: [PATCH] userns/capability: Add user namespace capability Date: Mon, 19 Oct 2015 14:48:04 +0200 Message-ID: <5624E684.8000302@nod.at> References: <5622700C.9090107@miglix.eu> <20151017215501.GA22900@mail.hallyn.com> <5623FD82.4030902@miglix.eu> <20151019014112.GA1683@mail.hallyn.com> <1445258180.4099.18.camel@debian.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1445258180.4099.18.camel-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Yves-Alexis Perez , "Serge E. Hallyn" , Tobias Markus Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "Eric W. Biederman" , Al Viro , Serge Hallyn , Andrew Morton , Andy Lutomirski , Christoph Lameter , "Michael Kerrisk (man-pages)" , linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Richard Weinberger List-Id: linux-man@vger.kernel.org Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez: > On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: >> We shouldn't need a long-term solution. Your concern is bugs. After >> some time surely we'll feel that we have achieved a stable solution? > > But this is actually the whole point: we need a long term solution, because > they will always be bug, whether in user namespaces or in others parts exposed > by user namespaces. It's fine to fix them when we find them, but that still > means they're exploitable even before we know about them. We still find bugs > in code written years ago, it's quite certain there are bugs in current code. You can replace the term "user namespace" with any other non-trivial kernel subsystem. There will always be bugs. Thanks, //richard