Quoting Aristeu Rozanski (arozansk@xxxxxxxxxx): > This is a bit fuzzy to me, perhaps due I'm not fully understanding > userns implementation yet, so bear with me: > I thought of changing so userns would not grant CAP_AUDIT_WRITE and > CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require Seems like CAP_AUDIT_WRITE should be targeted against the skb->netns->userns. Then CAP_AUDIT_WRITE can be treated like any other capability. Last I knew (long time ago) you had to be in init_user_ns to talk audit, but that's ok - this would just do the right thing in any case. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
