Serge E. Hallyn wrote: > Here is a small patchset I've been sitting on for awhile > to make signaling mostly subject to user namespaces. In > particular, > > 1. store user_namespace in user struct > 2. introduce CAP_NS_OVERRIDE > 3. require CAP_NS_OVERRIDE to signal another user namespace > > The first step should have been done all along. Else wouldn't > a hash collision on (ns1, uid) and (ns2, uid), however unlikely, > give us wrong results at uid_hash_find()? Unless I've completely misunderstood the code, each namespace has a separate hash. Please correct me if I'm wrong. > The main remaining signaling+userns issue is of course the > siginfo. Tacking a userns onto siginfo is a pain due to > lifetime mgmt issues. I haven't decided whether to just > catch all the callers and fake uid=0 if user namespaces > aren't the same, introduce some unique non-refcounted id to > represent (user,user_ns), or find some other way to deal with > it. > > thanks, > -serge -- Daniel Hokka Zakrisson _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
