Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932174AbcCHEPn (ORCPT ); Mon, 7 Mar 2016 23:15:43 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:33290 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932134AbcCHEPi (ORCPT ); Mon, 7 Mar 2016 23:15:38 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski Cc: "Serge E. Hallyn" , Serge Hallyn , Seth Forshee , lkml , =?utf-8?Q?St=C3=A9phane?= Graber References: <20160306082820.GA1917@mail.hallyn.com> <87oaar2ryz.fsf@x220.int.ebiederm.org> <87lh5t7ryo.fsf@x220.int.ebiederm.org> Date: Mon, 07 Mar 2016 22:05:50 -0600 In-Reply-To: (Andy Lutomirski's message of "Mon, 7 Mar 2016 16:24:21 -0800") Message-ID: <87bn6p7gwx.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX18eDuQEvKqx0JmhPxOdPUdZ617HxSQEFOg= X-SA-Exim-Connect-IP: 70.59.168.211 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40% * [score: 0.3946] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Andy Lutomirski X-Spam-Relay-Country: X-Spam-Timing: total 716 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.9 (0.6%), b_tie_ro: 2.8 (0.4%), parse: 1.23 (0.2%), extract_message_metadata: 29 (4.1%), get_uri_detail_list: 1.83 (0.3%), tests_pri_-1000: 12 (1.7%), tests_pri_-950: 2.0 (0.3%), tests_pri_-900: 1.59 (0.2%), tests_pri_-400: 26 (3.7%), check_bayes: 25 (3.4%), b_tokenize: 9 (1.3%), b_tok_get_all: 7 (0.9%), b_comp_prob: 3.5 (0.5%), b_tok_touch_all: 2.1 (0.3%), b_finish: 0.84 (0.1%), tests_pri_0: 290 (40.5%), check_dkim_signature: 0.88 (0.1%), check_dkim_adsp: 4.2 (0.6%), tests_pri_500: 345 (48.2%), poll_dns_idle: 336 (46.8%), rewrite_mail: 0.00 (0.0%) Subject: Re: user namespace and fully visible proc and sys mounts X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1097 Lines: 26 Andy Lutomirski writes: > On Mon, Mar 7, 2016 at 4:07 PM, Eric W. Biederman wrote: >> Andy Lutomirski writes: >> >>> On a related note, can we *please* find a way to constrain namespace >>> creation in a way that might satisfy the RHEL crowd? >> >> I am not certain to what you are referrring. >> >> As long as folks are willing to work with me I am happy to help design >> and design something that makes things better for everyone. If someone >> pushes hard, suggestes crappy patches, and does not listen to >> constructive feedback I will shoot their patches down (especially when I >> am sick and tired as I have been more than I would like this development >> cycle). > > I think we should add some mechanism that will allow the right to > create various namespaces to be constrained in a useful and usable > manner. I'll start a new thread. On the general principle that there is more attack surface, and attack surface reduction is generally good I agree. I will await your follow on thread when you are ready. Eric