On Wed, Nov 18, 2015 at 03:18:44AM -0600, Eric W. Biederman wrote:

"Serge E. Hallyn" [off-list ref] writes:

quoted

On Mon, Nov 16, 2015 at 04:24:27PM -0600, Eric W. Biederman wrote:

quoted

Similary have you considered what it required to be able to safely set
FS_USERNS_MOUNT?

I pushed the one patch which I feel is needed to my branch (it's also
included in another reply).  Aditya had already added FS_USERNS_MOUNT to
the cgroup fs flags, so I think we're now all set.  I can start
unprivileged containers which mount cgroupfs (which make systemd happy).

In principle that sounds very good, and I am glad to see that.

Let's hold off on merging the unprivileged part until everything else is
reviewed and merged and we have performed an extra hard look at the
security implications as it can be easy to overlook something when
relaxing the permissions.

I'll break out the FS_USERNS_MOUNT flag into the very last patch.