Quoting Serge Hallyn (serge@xxxxxxxxxx): > Eric, > > during the container reboot discussion, the agreement was reached that rebooting for real fron non-init pid ns is not safe. Restarting userspace (in pidns caller owns) is. I argue the same reasoning supports this. > > I haven't had a chance to review the patch, but the idea gets my ack. I'll look at the patch asap. > > I'm also fine with splitting cap_sys_boot into a user and system caps. The former would only be needed targeted to the userns of the init pid, while the latter would be required to init_user_ns. Then containers could safely be given cap_sys_restart or whatever, but not cap_sys_boot which authorizes kexec and machine reset/poweroff. Splitting the cap up into CAP_RESTART (restart /sbin/init) and CAP_BOOT (reboot hardware or kexec kernel) has the advantage that the capabilities each remain simpler to parse, no 'in this context it means that'. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
