Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > Since we have strict control on who access the devices, it should be > no problem to allow the device to appear. Having cgroups or user namespaces grant privileges makes me uneasy. With these patches it looks like I can do something evil like. 1. Create a devcgroup. 2. Put a process in it. 3. Create a usernamespace. 4. Run a container in that user namespace. 5. As an unprivileged user in that user namespace create another user namespace. 6. Call mknod and have it succeed. Or in short I don't think this handles nested user namespaces at all. With or without Serge's suggested change. At a practical level now is not the right time to be granting more permissions to user namespaces. Lately too many silly bugs have been found in what is already there. Eric -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
