Hi, Tobias Florek <ato...@ibotty.net> writes:
> now that systemd conference has been a success, I wanted to ask whether > you had a chance to look into it? I was playing around with bubblewrap and systemd. I've submitted some patches for systemd that got merged: https://github.com/systemd/systemd/pull/4280 they enable systemd to work without CAP_AUDIT[READ|WRITE] and not fail when setgroups is disabled (can be done through /proc/PID/setgroups). I have more patches to bubblewrap: https://github.com/projectatomic/bubblewrap/pull/101 that are needed to run systemd in it. I think the overall design, and that some caps are left only when in a new user namespace is safe. Anyway, they require a very accurate review, as a bug there can open the door to really bad things. Regards, Giuseppe
