>> 1. cap_sys_admin check is unfortunate. In discussions about Oren's >> patchset we've agreed that not having that check from the outset forces >> us to consider security with each new patch and feature, which is a good >> thing. > > Removing CAP_SYS_ADMIN on restore? we've kept the capabilities in our patchset but the user tools doing checkpoint and restart are setcap'ed appropriately to be able to do different things like : clone() the namespaces mount /dev/mqueue interact with net_ns etc. at restart, the task are restarted through execve() so they loose their capabilities automatically. but I think we could drop the CAP_SYS_ADMIN tests for some namespaces, uts and ipc are good candidates. I guess network should require some privilege. C. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
