On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: > We shouldn't need a long-term solution. Your concern is bugs. After > some time surely we'll feel that we have achieved a stable solution?
But this is actually the whole point: we need a long term solution, because they will always be bug, whether in user namespaces or in others parts exposed by user namespaces. It's fine to fix them when we find them, but that still means they're exploitable even before we know about them. We still find bugs in code written years ago, it's quite certain there are bugs in current code. User namespaces are a way to expose more interfaces to unprivileged users, interfaces which weren't designed to be exposed like that. In a way that's the opposite of seccomp. That doesn't make it bad, obviously, but that still means having a way to control it finely could be helpful. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
