It would be great if they didn't of course. But historically, I've never had issues with kernel patches. In large enough deployments you get everything rolled ahead of the publication, or care enough to run grsec and custom profiles. In smaller ones, the kernel side is far down the list of things you care about.
So yeah, in the ideal world, let's have everything isolated. For now it would be great if they worked at all.
Also... There's a bit of practical limitation to how useful the isolation is. It's cool that the FS module runs in the userspace. But if it can create a suid-equivalent file and point an arbitrary config at it, you're not gaining much.
So yeah, in the ideal world, let's have everything isolated. For now it would be great if they worked at all.
Also... There's a bit of practical limitation to how useful the isolation is. It's cool that the FS module runs in the userspace. But if it can create a suid-equivalent file and point an arbitrary config at it, you're not gaining much.