Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933121AbbKRPnh (ORCPT <rfc822;w@1wt.eu>);
	Wed, 18 Nov 2015 10:43:37 -0500
Received: from h2.hallyn.com ([78.46.35.8]:38544 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755753AbbKRPnI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 18 Nov 2015 10:43:08 -0500
Date: Wed, 18 Nov 2015 09:43:06 -0600
From: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, Richard Weinberger <richard@nod.at>,
        Richard Weinberger <richard.weinberger@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "open list:ABI/API" <linux-api@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        LXC development mailing-list 
	<lxc-devel@lists.linuxcontainers.org>,
        Tejun Heo <tj@kernel.org>,
        cgroups mailinglist <cgroups@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: CGroup Namespaces (v4)
Message-ID: <20151118154306.GA24719@mail.hallyn.com>
References: <1447703505-29672-1-git-send-email-serge@hallyn.com>
 <CAFLxGvzVmbZHrpaTmXUAK03hsnVPwEs3SJGNFNXfthh3NL8EDg@mail.gmail.com>
 <20151116204606.GA30681@mail.hallyn.com>
 <564A41AF.4040208@nod.at>
 <20151116205452.GA30975@mail.hallyn.com>
 <87y4dxh9b8.fsf@x220.int.ebiederm.org>
 <20151118023022.GA17501@mail.hallyn.com>
 <87r3jnfyx7.fsf@x220.int.ebiederm.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87r3jnfyx7.fsf@x220.int.ebiederm.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1211
Lines: 25

On Wed, Nov 18, 2015 at 03:18:44AM -0600, Eric W. Biederman wrote:
> "Serge E. Hallyn" <serge@hallyn.com> writes:
> 
> > On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote:
> >> Similary have you considered what it required to be able to safely set
> >> FS_USERNS_MOUNT?
> >
> > I pushed the one patch which I feel is needed to my branch (it's also
> > included in another reply).  Aditya had already added FS_USERNS_MOUNT to
> > the cgroup fs flags, so I think we're now all set.  I can start
> > unprivileged containers which mount cgroupfs (which make systemd happy).
> 
> In principle that sounds very good, and I am glad to see that.
> 
> Let's hold off on merging the unprivileged part until everything else is
> reviewed and merged and we have performed an extra hard look at the
> security implications as it can be easy to overlook something when
> relaxing the permissions.

I'll break out the FS_USERNS_MOUNT flag into the very last patch.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/