From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: [RFC][PATCH] ns: Syscalls for better namespace sharing control. Date: Fri, 26 Feb 2010 15:13:47 -0800 Message-ID: References: <4B4F24AC.70105@trash.net> <4B4F3A50.1050400@trash.net> <1263490403.23480.109.camel@bigi> <4B50403A.6010507@trash.net> <1263568754.23480.142.camel@bigi> <1266875729.3673.12.camel@bigi> <1266931623.3973.643.camel@bigi> <1266934817.3973.654.camel@bigi> <1266966581.3973.675.camel@bigi> <4B883987.6090408@parallels.com> <4B883E6F.1060907@parallels.com> <4B8843FE.4000404@cs.columbia.edu> <4B885093.4070807@cs.columbia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Pavel Emelyanov , Ben Greear , Linux Netdev List , containers@lists.linux-foundation.org, Netfilter Development Mailinglist , Daniel Lezcano To: Oren Laadan Return-path: In-Reply-To: <4B885093.4070807@cs.columbia.edu> (Oren Laadan's message of "Fri\, 26 Feb 2010 17\:52\:03 -0500") Sender: netfilter-devel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Oren Laadan writes: > Can't think of a specific scenario, but I wonder if there would > be a problem (security or otherwise) with a process that only > partly belongs to a container, even if for a short time ? If we can find an instance of that then there are fundamental problems with setns. The driving use case right now is for things like network namespaces where userspace really wants to have several at once, and wants to be able to control them all. Eric