Kees Cook <keescook@xxxxxxxxxxxx> writes: > + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) && > + capable(CAP_SETUID) && > + capable(CAP_SETGID))) > + return -EPERM; > + I will also note that the way I have seen containers used this check adds no security and is not mentioned or justified in any way in your patch description. Furthermore this looks like blame shifting. And quite frankly shifting the responsibility to users if they get hacked is not an acceptable attitude. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
