On Thu, May 28, 2015 at 9:36 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Implicits for only the locked mount flags is a little different but > still ick. FWIW, I only ever meant to advocate for this for locked flags, i.e. cases where the only other option is to throw EPERM. Clearly when the user has permission, the exact requested flags should be applied, or all kinds of things break. It seems to me that if we can fix the security issue without breaking userspace, we should. Sometimes we end up with icky APIs to avoid breaking userspace. (Though IMO implicitly preserving locked bits is not icky at all.) -Kenton _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
