[PATCH 0/3] Introduce user namespace capabilities
Jarkko Sakkinen
jarkko at kernel.org
Thu May 16 19:29:06 UTC 2024
On Thu May 16, 2024 at 10:07 PM EEST, Casey Schaufler wrote:
> I suggest that adding a capability set for user namespaces is a bad idea:
> - It is in no way obvious what problem it solves
> - It is not obvious how it solves any problem
> - The capability mechanism has not been popular, and relying on a
> community (e.g. container developers) to embrace it based on this
> enhancement is a recipe for failure
> - Capabilities are already more complicated than modern developers
> want to deal with. Adding another, special purpose set, is going
> to make them even more difficult to use.
What Inh, Prm, Eff, Bnd and Amb is not dead obvious to you? ;-)
One UNs cannot hurt...
I'm not following containers that much but didn't seccomp profiles
supposed to be the silver bullet?
BR, Jarkko
More information about the Linux-security-module-archive
mailing list