On czw, 2014-11-27 at 09:42 -0600, Eric W. Biederman wrote: > Lukasz Pawelczyk <l.pawelczyk@xxxxxxxxxxx> writes: > > > On czw, 2014-11-27 at 16:01 +0100, Richard Weinberger wrote: > >> Am 27.11.2014 um 15:44 schrieb Lukasz Pawelczyk: > >> > True, the last one is 0x80000000. I did not notice that. Thanks for > >> > pointing out. > >> > >> Isn't this CLONE_IO? > > > > Yes, I was merely noticing out loud that it's the last bit of 32bit. > > > > After close look though the 0x00001000 appears to be unused > > > >> > Any suggestion on what can be done here? New syscal with flags2? > >> > >> I'm not sure. But a new syscall would be a candidate. > > We are probably going to need to go a couple rounds with this but at > first approximation I think this functionality needs to be tied to the > user namespace. This functionality already looks half tied to it. > > When mounting filesystems with user namespaces priveleges matures a > little more you should be able to use unmapped labels. In the near term > we are looking at filesystems such as tmpfs, fuse and posibly extN. I presume you are referring to the Smack namespace readme where I mentioned mounts with specifying smack labels in the mount options, not to the quote above? I was referring the to the check here that has been changed to smack_ns_privileged() using ns_capable(): http://lxr.free-electrons.com/source/security/smack/smack_lsm.c#L462 And you can't use an unmapped Smack label inside the namespace, this would be completely against its idea. Anyway, at this point I'm more interested in the LSM namespace. I'll be doing an RFC for Smack namespace later. Unless I misunderstood your mail. -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers