On 2018-02-13, Enrico Weigelt <l...@metux.net> wrote: > On 13.02.2018 22:12, Enrico Weigelt wrote: > > I'm currently trying to implement plan9 semantics on Linux and > > yet sorting out how to do the mount namespace handling. > > > > On plan9, any unprivileged process can create its own namespace > > and mount/bind at will, while on Linux this requires CAP_SYS_ADMIN. > > > > What is the reason for not allowing arbitrary users to create their > > own private mount namespace ? What could go wrong here ?
You can do this by creating a new user namespace (CLONE_NEWUSER), which then gives you the required permissions to create other namespaces (CLONE_NEWNS). This is how "rootless containers" or unprivileged containers operate. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Description: PGP signature