Quoting Eric W. Biederman (ebiederm@xmission.com):
quoted text
> Michael Kerrisk <mtk-manpages@gmx.net> writes:
> 
> > Hello Serge,
> >
> > In 2.6.23-rc, your patch to add support for CLONE_NEWUSER is included.  Is
> > there there some for-userland-programmers documentation of this flag
> > somewhere?  Would you be able to send some documentation to me (ideally as
> > a patch to the clone.2 man page, but otherwise some plain text will do).
> >
> > If this flag is also supported for unshare(), then could you please send me
> > a patch/text for that too?
> 
> Currently this namespace is a work in progress marked with CONFIG_EXPERIMENTAL
> because it is very much still experimental and under development.
> 
> There may be other omissions but the one I am most aware of is that
> the in kernel user and group equality comparisons have not become been
> transformed from the form uid1 == uid2 to user_namespace1 == user_namespace2 &&
> uid1 == uid2.

I think the two main omissions are that one, and the fact that there is
no concept of a capability mask or per-namespace/cross-namespace
capabilities.  What is implemented is separate accounting for the same
uid in different namespaces.

Until the shortcomings are addressed, depending on one's use case, one
may want to use selinux to control access across user namespaces.

quoted text
> Until that happens that user namespace remains incomplete and not very
> useful.  So the advice to users for now that unless they want to help
> finish this up do not use.

thanks,
-serge
-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/