Quoting Janne Karhunen (janne.karhunen@xxxxxxxxx): > Current state of the kernel appears to be that there are more > than 1000 capable() calls and only handful are converted to > ns_capable(). Moreover, it probably does not make any sense > to convert most of these calls to be namespace aware due to > the nature of the physical resources they control, making > 'capable()' the right question to ask. Yet, in order to be > able to build 'fully functional real device' like containers, > user namespaces sometimes need the access to real system > resources. > > Thus, one potential candidate for enabling access to physical > resources from the user namespace would be to use namespaces > own CAP_SYS_RESOURCE as a magical token for making task > capabilities valid for init_ns. > > Signed-off-by: Janne Karhunen <Janne.Karhunen@xxxxxxxxx> Uh, I would say nack, and if you need this then a device namespace allowing you to 'pass' devices similarly to how you pass a physical nic to a child netns is a part of the answer. Your goals are not 100% clear to me. What is it about a user namespace that you want? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
