Quoting Li Zefan (lizefan@xxxxxxxxxx):
> In a container with its own pid namespace and user namespace, rebooting
> the system won't reboot the host, but terminate all the processes in
> it and thus have the container shutdown, so it's safe.
>
> Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx>
Thanks, Li.
fwiw,
Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx>
-serge
> ---
> kernel/sys.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 265b376..24d1ef5 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -433,11 +433,12 @@ static DEFINE_MUTEX(reboot_mutex);
> SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
> void __user *, arg)
> {
> + struct pid_namespace *pid_ns = task_active_pid_ns(current);
> char buffer[256];
> int ret = 0;
>
> /* We only trust the superuser with rebooting the system. */
> - if (!capable(CAP_SYS_BOOT))
> + if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT))
> return -EPERM;
>
> /* For safety, we require "magic" arguments. */
> @@ -453,7 +454,7 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
> * pid_namespace, the command is handled by reboot_pid_ns() which will
> * call do_exit().
> */
> - ret = reboot_pid_ns(task_active_pid_ns(current), cmd);
> + ret = reboot_pid_ns(pid_ns, cmd);
> if (ret)
> return ret;
>
> --
> 1.8.0.2
> _______________________________________________
> Containers mailing list
> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
