[Dev] Multi User activation idea.

Dominig ar Foll (Intel OTC) dominig.arfoll at fridu.net
Wed Oct 2 11:06:27 GMT 2013


> UID namespaces are considered problematic, to say the least. The
> problems begin when you create files in a UID namespace. Then, the
> security team (I've just asked them to write a little bit more about it
> here) has their own idea of how to use containers.
Our idea is to create the User NS with a static mapping in such a way 
that the control from the root name space remain possible in a 
traditionnel way.
> I am afraid you trust containers too much and forget about real security
> measures (SMACK in our case). Containers are not meant to provide
> security.
>
> http://www.youtube.com/watch?v=Sz-S7fqgjvA&feature=player_detailpage#t=485
>
> I hope, I wrote something useful.
>
I am not proposing to rely only on the containers for security but just 
to try to optimise RAM by sharing ressource when possible beetween users 
without running all the common services as root.
My view is to keep SMACK as well.

Dominig



More information about the Dev mailing list