Lukasz Pawelczyk <l.pawelczyk@xxxxxxxxxxx> writes: > On czw, 2014-11-27 at 18:38 +0100, Lukasz Pawelczyk wrote: >> Right now the major issue I see is that LSM by itself is not defined how >> it's going to behave. It's up to a specific LSM module. >> >> E.g. within the Smack namespace filling the map is a privileged >> operation. So by tying them up you cripple the ability to create a fully >> working user namespace as an unprivileged process. > > Entertaining the idea that LSM namespace would be tied to user namespace > (as you suggested) how do you see the limitation I described above? If they are tied it means you wind up in a situation where there are no labels you can set. In general setting the uid and gid maps is also a privileged operations. I really don't know what makes sense to do with lsms and namespaces generically, but I do know that your lsm namespace patche were awkwards and weird and seemed to be taking things in the wrong direction. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
