Quoting Oren Laadan (orenl@xxxxxxxxxxxxxxx): > For #1, we need to create a new container to begin with. This already > requires CAP_SYS_ADMIN. Yes, for now we can use some setuid() to create > a new pid_ns and then do the restart. This is why I like tagging a pidns with a userid, and requiring that current->euid==pidns->uid in order to be allowed to set pid in that pidns. We require cap_sys_admin wil doing clone(CLONE_NEWPID). So if we do that while uid=500, then drop cap_sys_admin, then we can proceed to create new tasks with specified pids in that pidns. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
