[arch-general] user namespaces

Daniel Micay danielmicay at gmail.com
Wed Feb 1 06:42:10 UTC 2017


Also worth noting that one of the first thing any sandbox based on user
namespaces will do is *disabling* user namespaces. The programs using
them acknowledge them to be a huge security problem. It doesn't work out
well when only a subset of processes are running in that container env.

The only sane way to approach this without taking a different path is
implementing plumbing to only expose user namespaces to the sandbox
spawning executables. Kernel infrastructure exists for doing that
already. It just depends on whether anyone is willing to do any real
work vs. complaining about it and denying the facts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170201/870d90ee/attachment.asc>


More information about the arch-general mailing list