Cedric Le Goater wrote: > Pavel Emelianov wrote: >> Cedric Le Goater wrote: >>> Pavel Emelianov wrote: [snip] >>>> Did I miss something in the design or this patch worth merging? >>> I've sent a more brutal patch in the past removing CONFIG_IPC_NS >>> and CONFIG_UTS_NS. Might be a better idea ? >> In case namespaces do not produce performance loss - yes. >> >> By that patch I also wanted to note that we'd better make >> all the other namespaces check for flags themselves, not >> putting this in the generic code. > > yep. let's fix that in the coming ones if they have config option. > > a similar issue is the following check done in > unshare_nsproxy_namespaces() and copy_namespaces() : > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > > it would be interesting to let the namespace handle the unshare > permissions. CAP_SYS_ADMIN shouldn't be required for all namespaces. > ipc is one example. Frankly, I think that some capability *is* required for cloning the namespaces. > > C. > Thanks, Pavel _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers