On Thu, 2008-12-18 at 10:54 -0800, Eric W. Biederman wrote:
> "Serge E. Hallyn" <[email protected]> writes:
>
>
> > The uid check needs to be fixed for user namespaces, agreed. I could
> > go either way though on whether we should also restrict to the same
> > pidns.
>
> It would be a subtle unexpected semantic change, that we would need
> to copy linux-abi and document etc. I'm not convinced it is that
> useful.
>
> I'm inclined to keep the semantics pure until there is some real
> experience from the field on issues like this.
Well the man page talks about PRIO_PROCESS and PRIO_PGRP and in those
cases it looks like "who" is really a pid or pgrp id:
> The value which is one of PRIO_PROCESS, PRIO_PGRP, or PRIO_USER, and
> who is interpreted relative to which (a process identifier for
> PRIO_PROCESS, process group identifier for PRIO_PGRP, and a user ID for
> PRIO_USER).
It looks to me like restricting by pidns is required if "which" is
PRIO_PROCESS or PRIO_PGRP. If "which" is PRIO_USER then yes, it sounds
like a user ns issue.
Cheers,
-Matt Helsley
_______________________________________________
Containers mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/containers
_______________________________________________
Devel mailing list
[email protected]
https://openvz.org/mailman/listinfo/devel
