Hello, Serge. On Tue, Oct 04, 2016 at 03:18:40PM -0500, Serge E. Hallyn wrote: > how about changing the GLOBAL_ROOT_UID check with a targeted > capability check, like > > if (!ns_capable(tcred->user_ns, CAP_SYS_NICE) && > !uid_eq(cred->euid, tcred->uid) && > !uid_eq(cred->euid, tcred->suid)) > ret = -EACCES; > > where the actual capability to use may require some thought. Yeah, that's the direction I'm thinking too. We can't use CAP_SYS_NICE in general tho. Let's see if a dedicated CAP sticks. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
