Quoting Sukadev Bhattiprolu (sukadev@xxxxxxxxxxxxxxxxxx): > Serge E. Hallyn [serue@xxxxxxxxxx] wrote: > | I think this whole patchset is still NACKed until you tag > | pid_namespaces with a creator uid, and ensure that > | current_uid()==pid_ns->creator_uid() at each level where > | the caller is specifying a pid. > > I currently have CAP_SYS_ADMIN check in clone_with_pids() and was > thinking that the tagging of pid namespaces can be done indpendent > of this patchset (as would integrating your patch of making pid_max > a property of pid-namespace). Didn't notice that check in patch 7. Yeah, that's fine. > | > | I don't see that in this set. > | > | OTOH, your approach of pulling alloc_pidmap_page() out of > | alloc_pidmap() and re-using it may be what Eric wanted to > | see. > > Yes, I think the first few helper patches in the set would be needed/ > useful to restart a process with a pid (not just for the clone-with-pids > syscall). thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
