On Thu, Jun 13, 2013 at 08:02:17PM +0200, Richard Weinberger wrote: > Dropping capabilities within a user namespace makes no sense > because any uid 0 process will regain all caps upon execve(). That is true, except for the fact that libvirt has removed the capabilities from the bounding set too. This prevents them being regained upon execve. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list