Lines Matching refs:namespace
8 allowing a user to set up user namespace UID/GID mappings.
40 namespace). The higher level goal is to allow for uid-based sandboxing of system
69 namespace and give programs in the tree setid capabilities. In this way,
71 own user namespace, and only approved UIDs/GIDs could be mapped back to the
72 initial system user namespace, affectively preventing privilege escalation.
74 without pairing them with other namespace types, which is not always an option.
75 Linux checks for capabilities based off of the user namespace that "owns" some
77 the user namespace in which they were created. A consequence of this is that
78 capability checks for access to a given network namespace are done by checking
79 whether a task has the given capability in the context of the user namespace
80 that owns the network namespace -- not necessarily the user namespace under
81 which the given task runs. Therefore spawning a process in a new user namespace
82 effectively prevents it from accessing the network namespace owned by the
83 initial namespace. This is a deal-breaker for any application that expects to
107 privileges, such as allowing a user to set up user namespace UID/GID mappings.