On Thu, 2008-12-18 at 10:54 -0800, Eric W. Biederman wrote: > "Serge E. Hallyn" <serue@xxxxxxxxxx> writes: > > > > The uid check needs to be fixed for user namespaces, agreed. I could > > go either way though on whether we should also restrict to the same > > pidns. > > It would be a subtle unexpected semantic change, that we would need > to copy linux-abi and document etc. I'm not convinced it is that > useful. > > I'm inclined to keep the semantics pure until there is some real > experience from the field on issues like this. Well the man page talks about PRIO_PROCESS and PRIO_PGRP and in those cases it looks like "who" is really a pid or pgrp id: > The value which is one of PRIO_PROCESS, PRIO_PGRP, or PRIO_USER, and > who is interpreted relative to which (a process identifier for > PRIO_PROCESS, process group identifier for PRIO_PGRP, and a user ID for > PRIO_USER). It looks to me like restricting by pidns is required if "which" is PRIO_PROCESS or PRIO_PGRP. If "which" is PRIO_USER then yes, it sounds like a user ns issue. Cheers, -Matt Helsley _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers