[PATCH] Forbid invocation of kexec_load() outside initial PID namespace
Eric W. Biederman
ebiederm at xmission.com
Fri Aug 3 12:45:40 UTC 2012
The solution is to use user namespaces and to only test ns_capable on the magic reboot path.
For the 3.7 timeframe that should be a realistic solution.
More information about the Containers