Device Namespaces

Janne Karhunen janne.karhunen at
Tue Oct 1 18:36:52 UTC 2013

On Tue, Oct 1, 2013 at 8:27 PM, Andy Lutomirski <luto at> wrote:

> Can't the daemon live outside the container and shuffle stuff in?
> IOW, there seems to be little point in containerizing things if you're
> just going to punch a privilege hole in the namespace.

Yeah. I will try to experiment just how much can be 'stuffed
in' without effective caps. It certainly would be better this way.

> FWIW, I think that the capability evolution rules are crap, but
> changing them is a can of worms, and enough people seem to thing the
> status quo is acceptable that this is unlikely to ever get fixed.

I have noted (Casey almost tried to strangle me during the
last security summit for even daring to talk about it).


More information about the Containers mailing list