Hi Younes, On 11/1/22 17:49, Younes Manton wrote:
Hi, imachug@xxxxxxxxx testing CRIU noticed that the documentation for proc's map_files directory with respect to CAP_CHECKPOINT_RESTORE and namespaces appears to be wrong. The text reads:since Linux 5.9, the reading process must have either CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE in the user namespace where it resides.The reporter noted that the user actually needs the capabilities in the initial user namespace, not in the namespace the process resides in. As far as I can tell this appears to be the case. The text was introduced in 167f94b707148bcd46fe39c7d4ebfada9eed88f6 and refers to kernel commit 12886f8ab10ce6a09af1d92535d49c81aaa215a8. The code and message in the kernel commit refer to the initial user namespace.
Could you please write a small program and shell session that demonstrates either behavior?
Thanks, Alex -- <http://www.alejandro-colomar.es/>
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
