[PATCH 0/3] Introduce user namespace capabilities

Jarkko Sakkinen jarkko at kernel.org
Thu May 16 19:29:06 UTC 2024


On Thu May 16, 2024 at 10:07 PM EEST, Casey Schaufler wrote:
> I suggest that adding a capability set for user namespaces is a bad idea:
> 	- It is in no way obvious what problem it solves
> 	- It is not obvious how it solves any problem
> 	- The capability mechanism has not been popular, and relying on a
> 	  community (e.g. container developers) to embrace it based on this
> 	  enhancement is a recipe for failure
> 	- Capabilities are already more complicated than modern developers
> 	  want to deal with. Adding another, special purpose set, is going
> 	  to make them even more difficult to use.

What Inh, Prm, Eff, Bnd and Amb is not dead obvious to you? ;-)
One UNs cannot hurt...

I'm not following containers that much but didn't seccomp profiles
supposed to be the silver bullet?

BR, Jarkko



More information about the Linux-security-module-archive mailing list