Quoting Serge Hallyn ([email protected]): > Eric, > > during the container reboot discussion, the agreement was reached that > rebooting for real fron non-init pid ns is not safe. Restarting userspace > (in pidns caller owns) is. I argue the same reasoning supports this. > > I haven't had a chance to review the patch, but the idea gets my ack. I'll > look at the patch asap. > > I'm also fine with splitting cap_sys_boot into a user and system caps. The > former would only be needed targeted to the userns of the init pid, while the > latter would be required to init_user_ns. Then containers could safely be > given cap_sys_restart or whatever, but not cap_sys_boot which authorizes > kexec and machine reset/poweroff.
Splitting the cap up into CAP_RESTART (restart /sbin/init) and CAP_BOOT (reboot hardware or kexec kernel) has the advantage that the capabilities each remain simpler to parse, no 'in this context it means that'. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
