From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: Current state of CLONE_NEWUSER? Date: Wed, 19 Nov 2008 17:41:21 -0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: In-Reply-To: (Michael Kerrisk's message of "Wed, 19 Nov 2008 15:04:22 -0500") Sender: linux-man-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Cc: Serge Hallyn , Subrata Modak , lkml , linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, clg-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org, herbert-dBHVzrDq9nF4Lj/PQRBjDg@public.gmane.org, dev-3ImXcnM4P+0@public.gmane.org List-Id: linux-man@vger.kernel.org "Michael Kerrisk" writes: > Hi Serge, > > What is the current status of CLONE_NEWUSER? I'm currently trying to > test this flag in preparation for documenting it in the clone(2) man > page, but am running into an ENOMEM error from the clone() call, which > seems to occur after a failure in kobject_init_and_add() in the > following call sequence: > > clone_user_ns() --> alloc_uid() --> uids_user_create() --> > kobject_init_and_add() > > Are there already some test programs somewhere? Is there any > documentation already available for this flag? This code is definitely still under development. When complete it should be able to create a new uid namespace, as an unprivileged user. Creating a new process with uid == gid == 0. Have a full set of caps. And have permission to do nothing on the system except read world readable files and write world writable files. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html