Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > Andrew Lutomirski <luto@xxxxxxx> writes: > Still given that you aren't doing the very restrictive current_cred() > must not change I don't know how it matters, and a bpf based seccomp can > pretty easily filter out new user namespace creation. Shrug. I very much want and intend to use both user namespaces and seccomp2 together. Speaking in terms of the old userns implementation, once a container has been created, no child of my task will change uid/gid or gain/move capabilities in the original user namespace. But they're free to do so at will in the child user namespace. Since the capabilities are targeted at the child namespaces, that's fine. And as Eric noted the user namespaces will allow us to increase the attack surface, but at the same time I'm hoping to offset that somewhat using seccomp2. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html