janne.karhunen at gmail.com
Tue Oct 1 18:36:52 UTC 2013
On Tue, Oct 1, 2013 at 8:27 PM, Andy Lutomirski <luto at amacapital.net> wrote:
> Can't the daemon live outside the container and shuffle stuff in?
> IOW, there seems to be little point in containerizing things if you're
> just going to punch a privilege hole in the namespace.
Yeah. I will try to experiment just how much can be 'stuffed
in' without effective caps. It certainly would be better this way.
> FWIW, I think that the capability evolution rules are crap, but
> changing them is a can of worms, and enough people seem to thing the
> status quo is acceptable that this is unlikely to ever get fixed.
I have noted (Casey almost tried to strangle me during the
last security summit for even daring to talk about it).
More information about the Containers