> This patch isn't a core part of the clone_with_pid functionality, > just something Eric has asked for. So I don't object to dropping > it. But I disagree with Alexey's claim that this isn't a namespace > property. It should be. OK >> frankly I don't see the reason for doing so. Why should we? >> Especially taking into account, that we essentially cannot >> change thin in the namespace level 3 and deeper? > > What do you mean by that? With this patchset we're not, it's > true, but we trivially can - even now, userspace can simply not > give the container CAP_SYS_ADMIN or write access to the sysctl > so they can't do any more CLONE_NEWPIDS or change the sysctl. It's a misprint - I meant "level 2 and deeper". Sysctl is only pointing at the init_pid_ns variable. > -serge > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
