On 01/10/2013 05:13 PM, Eric W. Biederman wrote: > John Johansen <john.johan...@canonical.com> writes: > >>> When a distro is run in a container it is desirable to be able to run >>> the distro's security policy in that container. Ideally this will get >>> addressed by being able to do some level of per user namespace stacking. >>> Say selinux outside and apparmor inside a container. >>> >>> I think this would take a little more work than what Casey has currently >>> devised but I am hopeful an additional layer of stacking can be added >>> after Casey has merged the basic layer of stacking. >>> >> Right the general case will take more, but doing things like selinux on >> the outside and apparmor inside are doable right now. And we are working >> on supporting stacked apparmor policy right now so apparmor outside and >> a different apparmor policy inside will be doable soon. > > Cool. For stacked apparmor how are you deciding which tasks get which > policy? Is this based on user namespaces or something else? > its based on the apparmor policy namespace, which is inherited from the parent task.
-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
