On Sun, 2008-11-02 at 01:00 +0100, Daniel Lezcano wrote:
> +++ net-next-2.6/kernel/sys.c
> @@ -355,6 +355,9 @@ asmlinkage long sys_reboot(int magic1, i
> if (!capable(CAP_SYS_BOOT))
> return -EPERM;
>
> + if (current->nsproxy->pid_ns != &init_pid_ns)
> + return 0;
> +
> /* For safety, we require "magic" arguments. */
> if (magic1 != LINUX_REBOOT_MAGIC1 ||
> (magic2 != LINUX_REBOOT_MAGIC2 &&
One problem I have with this is that it specifically defines being "in a
container" as being in a pid_ns other than the init_pid_ns. If we're
going to go down this road, it should be at *least*:
int in_a_container(void)
{
return current->nsproxy->pid_ns != &init_pid_ns;
}
But, this also sucks because we don't want to be introducing new code
paths all over the kernel for the "container" case. What we'll end up
with little craplets like this spread all over:
if (in_a_container()) {
/* don't ever test this code path */
}
:)
So I think we should avoid what you're trying to do here like the
plague.
-- Dave
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
