Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions

From: Linus Torvalds
Date: Wed Feb 21 2018 - 14:52:40 EST


On Wed, Feb 21, 2018 at 10:21 AM, Andi Kleen <ak@xxxxxxxxxxxxxxx> wrote:
>
> How about uid name spaces? Someone untrusted in a container could
> create a lot of uids and switch between them.

Anybody who does that deserves whatever the hell they get.

You can already blow out a lot of other resources that way. If you can
create users indiscriminately enough, you can bypass most other
resource limits too.

If you think containers protect against security issues from untrusted
users, I have a bridge to sell you.

Linus