What's New in the User Namespace - Recent Developments and Future Outlook

Explore the evolution and current state of user namespaces in this comprehensive conference talk. Delve into exciting developments, including the new VFS API and VFS idmap shifting, which simplify container setup without root filesystem manipulation. Learn about security enhancements, such as LSM-mediated user namespace creation and IMA namespacing for system-wide measurement and checking. Discover solutions to major adoption blockers and the potential deprecation of less secure container options. Gain insights into filesystem handling, integrity measurements, tracing, and trusted resources in user namespaces. Understand the implications for modern container space and the future of user namespace implementation.

Intro
What are user namespaces?
Common setup
Filesystem handling
The early days
The problem
VFS idmap shifting
New namespaces
Integrity Measurements (IMA)
Tracing
Restricting the user namespace
LSM hook
System call interception
Trusted resources
Trusted workloads
Conclusion
Questions?