Tejun Heo <tj@xxxxxxxxxx> writes: > Hello, guys. > > Why doesn't it follow the usual security enforced by cgroupfs > permissions? Why is the explicit check necessary? An almost more interesting question is why is cgroup one of the last pieces of code not using capabilities and instead lets you attach to any process simply if your uid == 0. I don't know the history but the device cgroup testing for CAP_SYS_ADMIN makes a naive sort of sense to me. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
