On czw, 2014-11-27 at 18:38 +0100, Lukasz Pawelczyk wrote: > Right now the major issue I see is that LSM by itself is not defined how > it's going to behave. It's up to a specific LSM module. > > E.g. within the Smack namespace filling the map is a privileged > operation. So by tying them up you cripple the ability to create a fully > working user namespace as an unprivileged process.
Entertaining the idea that LSM namespace would be tied to user namespace (as you suggested) how do you see the limitation I described above? -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
