On czw, 2014-11-27 at 18:38 +0100, Lukasz Pawelczyk wrote: > Right now the major issue I see is that LSM by itself is not defined how > it's going to behave. It's up to a specific LSM module. > > E.g. within the Smack namespace filling the map is a privileged > operation. So by tying them up you cripple the ability to create a fully > working user namespace as an unprivileged process. Entertaining the idea that LSM namespace would be tied to user namespace (as you suggested) how do you see the limitation I described above? -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
