On Tue, 2016-10-25 at 17:53 +0100, David Howells wrote: > David Howells <dhowells@xxxxxxxxxx> wrote: > > > (2) If a process's user_namespace doesn't match that recorded in a > > key then > > it gets ENOKEY if it tries to refer to it or access it and > > can't see it > > in /proc/keys. > > There's another possibility here - since user_namespaces are > hierarchical, does it make sense to let a process see keys that are > in an ancestral namespace? I think that should be the decision of the owner. If you're creating a userns to de-privilege the next user, likely you don't want this, but if you're creating a userns to enhance it, then you do. I think you want to behave exactly as the mount namespace does: on initial clone, you get a fully cloned mount tree and then you customise it by unmounting pieces. James _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
