Quoting Serge E. Hallyn (serge@xxxxxxxxxx): > Quoting Nathan Lynch (ntl@xxxxxxxxx): > > "Serge E. Hallyn" <serue@xxxxxxxxxx> writes: > > > Define a CHECKPOINT_SUBTREE flag for sys_checkpoint() which > > > says it's ok if the the checkpointed set of tasks are not > > > a fully isolated container without leaks. > > > > > > Define a sysctl 'ckpt_subtree_allowed' which determines > > > whether subtree checkpoints are ok. If that sysctl, > > > ckpt_subtree_allowed, is 0, then the CHECKPOINT_SUBTREE flag > > > may not be used. Also, if that sysctl is 0, then both > > > sys_checkpoint() and sys_restart() always require > > > CAP_SYS_ADMIN. > > > > Whether subtree checkpoint is allowed and whether non-admin checkpoint > > is allowed are independent constraints, no? Should this really be a > > single flag? > > Well it's not about the flag, it's about the sysctl. So actually > I don't have that right at checkpoint (but do at restart). It > should just be: > > if (!ckpt_subtree_allowed && !capable(CAP_SYS_ADMIN)) > return -EPERM; > > for both. > > As for making it two sysctls, I don't really care. Fine by me... Hmm, no... I think you've clarified this for me. There's no need for a sysctl disallowing the CHECKPOINT_SUBTREE flag. There should just be a unprivileged_checkpoint sysctl determining whether CAP_SYS_ADMIN is always needed. Then the optional CHECKPOINT_SUBTREE is always allowed. That makes much more sense. Thanks, Nathan. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers