Quoting Paul Menage (menage@xxxxxxxxxx): > On Jan 15, 2008 9:49 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > > > One other thought - should the parse/print routines themselves do a > > > translation based on the device mappings for the writer/reader's > > > cgroup? That way you could safely give a VE full permission to write > > > to its children's device maps, but it would only be able to add/remap > > > device targets that it could address itself. > > > > Oh, well if we do this then we can just as well use the translation > > functions to not allow a VE to add to its own set of devices, right? > > Right. > > > > > Then maybe capable(CAP_NS_OVERRIDE|CAP_SYS_ADMIN) would only be required > > to add devices. > > Or simply require that they be added by someone who already has access > to that device via their own control group? The root cgroup would have > access to all devices. Where by 'have access' you mean access to create the device? That sounds good. thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers