On Wed, Feb 01, 2017 at 02:45:46AM -0500, Daniel Micay wrote: > Application containers don't have a use for the user namespace quasi > root and no one really needs the half baked uid/gid mapping feature. > There's no real reason for stuff being done that way beyond desktop > Linux having the disease of inability to do plumbing in userspace, but > instead putting everything in the kernel simply to have it universally > available rather than for technical reasons. > > It would make sense to simply have a service spawning on-demand unpriv > users from a range of uid/gid pairs. That's exactly how this works on > Android for both apps and isolatedProcess services (they each get a > unique uid/gid pair assigned), although they also layer SELinux and > mount namespaces on top. Cool :) thx for the explanation... Cheers, L. -- Leonid Isaev
