Hello, Casey. On Tue, Dec 13, 2016 at 10:32:14AM -0800, Casey Schaufler wrote: > > The trouble is that CAP_SYS_NICE or _RESOURCE (which was tried in an > > earlier version of this patch) aren't necessarily appropriate for > > non-android systems. See Andy's objection here: > > https://lkml.org/lkml/2016/11/8/946 > > Then we need to see what those as-yet-unimplemented systems > require and how to address them. I don't think that taking > the "someone might want it" approach is really appropriate. I understands that there can be reservations regarding adding a new CAP but this isn't about someone possibly wanting it in the future. It's more about overloading existing CAPs leading to permitting unintended operations. e.g. ppl who've been delegating CAP_SYS_RESOURCES would automatically end up delegating cgroup organization without intending so. Using an existing cap would have been nice but it just doesn't look like we have a good one to overload. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
