Re: [PATCH 0/3] Introduce user namespace capabilities

From: Jarkko Sakkinen
Date: Thu May 16 2024 - 15:29:22 EST

Next message: Mukesh Ojha: "[PATCH] genirq/chip: Fix the warn for non-SMP system"
Previous message: Shreeya Patel: "Re: [PATCH 6.6 000/308] 6.6.31-rc3 review"
In reply to: Casey Schaufler: "Re: [PATCH 0/3] Introduce user namespace capabilities"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 0/3] Introduce user namespace capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu May 16, 2024 at 10:07 PM EEST, Casey Schaufler wrote:
> I suggest that adding a capability set for user namespaces is a bad idea:
> - It is in no way obvious what problem it solves
> - It is not obvious how it solves any problem
> - The capability mechanism has not been popular, and relying on a
> community (e.g. container developers) to embrace it based on this
> enhancement is a recipe for failure
> - Capabilities are already more complicated than modern developers
> want to deal with. Adding another, special purpose set, is going
> to make them even more difficult to use.

What Inh, Prm, Eff, Bnd and Amb is not dead obvious to you? ;-)
One UNs cannot hurt...

I'm not following containers that much but didn't seccomp profiles
supposed to be the silver bullet?

BR, Jarkko

Next message: Mukesh Ojha: "[PATCH] genirq/chip: Fix the warn for non-SMP system"
Previous message: Shreeya Patel: "Re: [PATCH 6.6 000/308] 6.6.31-rc3 review"
In reply to: Casey Schaufler: "Re: [PATCH 0/3] Introduce user namespace capabilities"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 0/3] Introduce user namespace capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]