-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serge E. Hallyn wrote: >> I also think we should use CAP_SETPCAP for the privilege of manipulating >> the bounding set. In many ways irrevocably removing a permission >> requires the same level of due care as adding one (to pI). > > Aside from being heavy-handed, it also means that we are restricting the > use of per-process capability bounding sets to kernels with file > capabilities compiled in, right? Are we ok with that? > I am. :-) Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHPmyQQheEq9QabfIRAnnbAJ0c22LPNc1EnjWyvR4ZrwcyAiJDrgCeOdTj TJFJwUK7UMkeX5M9ULzbN44= =LMQP -----END PGP SIGNATURE----- _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers