Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> It looks like maybe just adding a struct user_namespace * to a struct key
> should suffice.
That's not quite sufficient. The per-UID key_user structs also need to be
differentiated. Unfortunately, I can't just merge it into user_struct as I
then end up with a reference loop user_struct -> uid_keyring -> user_struct.
Rooting the key_user trees in user_namespace will probably do the trick.
A couple of questions:
(1) A process may inherit a session keyring over clone(). Should this be
discarded if CLONE_NEWUSER is set? Or would I need to copy it?
(2) In a recent patch, I've given the root user its own quota limits. Is UID
0 always the root user in any container? Or would it make more sense
just to scrap the per-root quota limits?
David
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
