Quoting David Howells (dhowells@xxxxxxxxxx): > Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > > > It looks like maybe just adding a struct user_namespace * to a struct key > > should suffice. > > That's not quite sufficient. The per-UID key_user structs also need to be > differentiated. Unfortunately, I can't just merge it into user_struct as I > then end up with a reference loop user_struct -> uid_keyring -> user_struct. > > Rooting the key_user trees in user_namespace will probably do the trick. > > A couple of questions: > > (1) A process may inherit a session keyring over clone(). Should this be > discarded if CLONE_NEWUSER is set? Or would I need to copy it? Someone else may have stronger feelings about this. Personally so long as a container setup program has a way of discarding the keyring manually I think that's fine. > (2) In a recent patch, I've given the root user its own quota limits. Is UID > 0 always the root user in any container? Or would it make more sense > just to scrap the per-root quota limits? Yeah uid 0 may not have a bunch of privileges, but it is still the root user. thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers