On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus <tobias@xxxxxxxxx> wrote: > One question remains though: Does this break userspace executables that > expect being able to create user namespaces without priviledge? Since > creating user namespaces without CAP_SYS_ADMIN was not possible before > Linux 3.8, programs should already expect a potential EPERM upon calling > clone. Since creating a user namespace without CAP_SYS_USER_NS would > also cause EPERM, we should be on the safe side. In case of doubt, yes it will break existing software. Hiding user namespaces behind CAP_SYS_USER_NS will not magically make them secure. -- Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html