Kees Cook <[email protected]> writes: > + if (sysctl_userns_restrict && !(capable(CAP_SYS_ADMIN) && > + capable(CAP_SETUID) && > + capable(CAP_SETGID))) > + return -EPERM; > +
I will also note that the way I have seen containers used this check adds no security and is not mentioned or justified in any way in your patch description. Furthermore this looks like blame shifting. And quite frankly shifting the responsibility to users if they get hacked is not an acceptable attitude. Eric
