From: Gowrishankar M <gomuthuk@xxxxxxxxxxxxxxxxxx> In piece of dead code, cap_set_all() propogates through processes outside PID namespace, as iteration is always in init PID namespace. Below patch adjusts macro controller to use do_each_thread_in_ns() so that only processes in current namespace are scanned Signed-off-by: Gowrishankar M <gowrishankar.m@xxxxxxxxxxxxxxxxxx> --- kernel/capability.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/capability.c b/kernel/capability.c index 33e51e7..e3e3765 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -201,7 +201,7 @@ static inline int cap_set_all(kernel_cap_t *effective, spin_lock(&task_capability_lock); read_lock(&tasklist_lock); - do_each_thread(g, target) { + do_each_thread_in_ns(g, target, current->nsproxy->pid_ns) { if (target == current || is_container_init(target->group_leader)) continue; -- 1.5.5.1 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers