> > + t->table[0].mode = 0644; > > Yikes, this could be a problem for containers, as it's simply tied to > uid 0, whereas tying it to a capability would let us solve it with > capability bounds. > > This might mean more urgency to get user namespaces working at least > with sysfs, else this is a quick way around having CAP_SYS_ADMIN taken > out of a container's capability bounding set. I think I understand the problem, but not the solution. How do user namespaces going to help? Maybe sysctls just need to check capabilities, instead of uids. I think that would make a lot of sense anyway. Thanks, Miklos - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
