Paul Moore <paul@xxxxxxxxxxxxxx> writes: > At the end of the v4 patchset I suggested merging this into lsm/next > so it could get a full -rc cycle in linux-next, assuming no issues > were uncovered during testing What in the world can be uncovered in linux-next for code that has no in tree users. That is one of my largest problems. I want to talk about the users and the use cases and I don't get dialog. Nor do I get hey look back there you missed it. Since you don't want to rehash this. I will just repeat my conclusion that the patchset appears to introduce an ineffective defense that will achieve nothing in the defense of the kernel, and so all it will achieve a code maintenance burden and to occasionally break legitimate users of the user namespace. Further the process is broken. You are changing the semantics of an operation with the introduction of a security hook. That needs a man-page and discussion on linux-abi. In general of the scrutiny we give to new systems and changed system calls. As this change fundamentally changes the semantics of creating a user namespace. Skipping that part of the process is not simply disagree that is being irresponsible. Eric
