[PATCH 0/3] Introduce user namespace capabilities
Jarkko Sakkinen
jarkko at kernel.org
Sat May 18 11:21:58 UTC 2024
On Sat May 18, 2024 at 2:17 PM EEST, Jarkko Sakkinen wrote:
> On Sat May 18, 2024 at 2:08 PM EEST, Jarkko Sakkinen wrote:
> > On Fri May 17, 2024 at 10:11 PM EEST, Jonathan Calmels wrote:
> > > On Fri, May 17, 2024 at 10:53:24AM GMT, Casey Schaufler wrote:
> > > > Of course they do. I have been following the use of capabilities
> > > > in Linux since before they were implemented. The uptake has been
> > > > disappointing in all use cases.
> > >
> > > Why "Of course"?
> > > What if they should not get *all* privileges?
> >
> > They do the job given a real-world workload and stress test.
> >
> > Here the problem is based on a theory and an experiment.
> >
> > Even a formal model does not necessarily map all "unknown unknowns".
>
> So this was like the worst "sales pitch" ever:
>
> 1. The cover letter starts with the idea of having to argue about name
> spaces, and have fun while doing that ;-) We all have our own ways to
> entertain ourselves but "name space duels" are not my thing. Why not
> just start with why we all want this instead? Maybe we don't want it
> then. Maybe this is just useless spam given the angle presented?
> 2. There's shitloads of computer science and set theory but nothing
> that would make common sense. You need to build more understandable
> model. There's zero "gist" in this work.
>
> Maybe this does make sense but the story around it sucks so far.
One tip: I think this is wrong forum to present namespace ideas in the
first place. It would be probably better to talk about this with e.g.
systemd or podman developers, and similar groups. There's zero evidence
of the usefulness. Then when you go that route and come back with actual
users, things click much more easily. Now this is all in the void.
BR, Jarkko
More information about the Linux-security-module-archive
mailing list