https://bugzilla.kernel.org/show_bug.cgi?id=216215 --- Comment #2 from pxeger (linuxkernelbugzilla@xxxxxxxxxx) --- Ah, I understand the confusion I was having now: all namespaces, *except user namespaces*, require CAP_SYS_ADMIN. But creating a new user namespace automatically confers a full set of capabilities. So, when using clone(2) with CLONE_NEWUSER and some other CLONE_NEW* flags for other namespaces, at the same time, you don't need CAP_SYS_ADMIN in the parent, because it's given to the child during the clone call. Is this worth mentioning somewhere? -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
