On Fri, Jul 10, 2020 at 01:10:23PM -0600, Tycho Andersen wrote: > On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote: > > Running the seccomp tests as a regular user shouldn't just fail tests > > that require CAP_SYS_ADMIN (for getting a PID namespace). Instead, > > detect those cases and SKIP them. > > But if we unshare NEWUSER at the same time as NEWPID, shouldn't we > always be ns_capable(CAP_SYS_ADMIN)?
Oh! Yes, you're quite right. :) Instead I guess I should actually check for EINVAL if CONFIG_USER_NS is missing. -- Kees Cook