Gowrishankar M <gowrishankar.m@xxxxxxxxxxxxxxxxxx> writes: > From: Gowrishankar M <gomuthuk@xxxxxxxxxxxxxxxxxx> > > In piece of dead code, cap_set_all() propogates through processes outside > PID namespace, as iteration is always in init PID namespace. > > Below patch adjusts macro controller to use do_each_thread_in_ns() so that > only processes in current namespace are scanned Yes. This case in capability.c needs to be fixed. Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Signed-off-by: Gowrishankar M <gowrishankar.m@xxxxxxxxxxxxxxxxxx> > --- > kernel/capability.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/kernel/capability.c b/kernel/capability.c > index 33e51e7..e3e3765 100644 > --- a/kernel/capability.c > +++ b/kernel/capability.c > @@ -201,7 +201,7 @@ static inline int cap_set_all(kernel_cap_t *effective, > spin_lock(&task_capability_lock); > read_lock(&tasklist_lock); > > - do_each_thread(g, target) { > + do_each_thread_in_ns(g, target, current->nsproxy->pid_ns) { > if (target == current > || is_container_init(target->group_leader)) > continue; > -- > 1.5.5.1 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers