On Fri, Aug 28, 2015 at 05:20:01PM +0400, Andrew Vagin wrote:
+bool ve_capable(int cap)
+{
+ return ns_capable(get_exec_env()-init_cred-user_ns, cap);
+}
init_cred is set in ve_grab_context, which means that if a task
occasionally uses ve_capable() before writing START to ve.state, the
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
Signed-off-by: Andrew Vagin ava...@openvz.org
---
fs/autofs4/root.c |6 ++
fs/ioprio.c|2 +-