On czw, 2014-11-27 at 18:38 +0100, Lukasz Pawelczyk wrote: > Right now the major issue I see is that LSM by itself is not defined how > it's going to behave. It's up to a specific LSM module. > > E.g. within the Smack namespace filling the map is a privileged > operation. So by tying them up you cripple the ability to create a fully > working user namespace as an unprivileged process. Entertaining the idea that LSM namespace would be tied to user namespace (as you suggested) how do you see the limitation I described above? -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
