[PATCH][RFC] Cleanup in namespaces unsharing
Pavel Emelianov
xemul at openvz.org
Fri Jun 8 06:05:46 PDT 2007
Cedric Le Goater wrote:
> Pavel Emelianov wrote:
>> Cedric Le Goater wrote:
>>> Pavel Emelianov wrote:
[snip]
>>>> Did I miss something in the design or this patch worth merging?
>>> I've sent a more brutal patch in the past removing CONFIG_IPC_NS
>>> and CONFIG_UTS_NS. Might be a better idea ?
>> In case namespaces do not produce performance loss - yes.
>>
>> By that patch I also wanted to note that we'd better make
>> all the other namespaces check for flags themselves, not
>> putting this in the generic code.
>
> yep. let's fix that in the coming ones if they have config option.
>
> a similar issue is the following check done in
> unshare_nsproxy_namespaces() and copy_namespaces() :
>
> if (!capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> it would be interesting to let the namespace handle the unshare
> permissions. CAP_SYS_ADMIN shouldn't be required for all namespaces.
> ipc is one example.
Frankly, I think that some capability *is* required for
cloning the namespaces.
>
> C.
>
Thanks,
Pavel
More information about the Containers
mailing list