Topi Miettinen <toiwoton@xxxxxxxxx> writes: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know which capabilities are actually used. > Even the source code is only implicit, in-depth knowledge of each > capability must be used when analyzing a program to judge which > capabilities the program will exercise. > > Generate an audit message at system call exit, when capabilities are used. > This can then be used to configure capability sets for services by a > software developer, maintainer or system administrator. > > Test case demonstrating basic capability monitoring with the new > message types 1330 and 1331 and how the cgroups are displayed (boot to > rdshell): You totally miss the interactions with the user namespace so this won't give you the information you are aiming for. Eric -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
