Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > Since we have strict control on who access the devices, it should be > no problem to allow the device to appear. Having cgroups or user namespaces grant privileges makes me uneasy. With these patches it looks like I can do something evil like. 1. Create a devcgroup. 2. Put a process in it. 3. Create a usernamespace. 4. Run a container in that user namespace. 5. As an unprivileged user in that user namespace create another user namespace. 6. Call mknod and have it succeed. Or in short I don't think this handles nested user namespaces at all. With or without Serge's suggested change. At a practical level now is not the right time to be granting more permissions to user namespaces. Lately too many silly bugs have been found in what is already there. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
