[patch 1/1][RFC] do not sys_reboot when not in init_pid_ns

Daniel Lezcano dlezcano at fr.ibm.com
Tue Nov 4 12:40:43 PST 2008


Daniel Hokka Zakrisson wrote:
> Daniel Lezcano wrote:
> 
> Wouldn't it be better to simply remove CAP_SYS_BOOT from containers
> until sys_reboot emits some signal to userspace to restart/halt the
> container? (This is what we do in Linux-VServer.)

Ok, I will try, thanks.

BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to 
  himself and being able to shutdown the host ? I guess I should remove 
CAP_SETPCAP too, no ?


More information about the Containers mailing list