On Wed, Jan 27, 2016 at 9:22 AM, Jann Horn wrote:
> I think it sounds good from a security perspective.
I'm a bit late to the game, but I have a question: why should this be
keyed to the *root* uid of the namespace in particular? Certainly if
user foo trusts the cap bits on some file, then user
On Wed, Jan 20, 2016 at 01:48:16PM +0100, Jann Horn wrote:
> On Fri, Dec 04, 2015 at 02:21:16PM -0600, Serge E. Hallyn wrote:
> > Quoting Eric W. Biederman (ebied...@xmission.com):
> > > "Serge E. Hallyn" writes:
> > >
> > > > A common way for daemons to run with minimal privilege is to start as
