[Devel] Re: [PATCH][RFC] Cleanup in namespaces unsharing

Pavel Emelianov xemul at openvz.org
Fri Jun 8 06:05:46 PDT 2007


Cedric Le Goater wrote:
> Pavel Emelianov wrote:
>> Cedric Le Goater wrote:
>>> Pavel Emelianov wrote:

[snip]

>>>> Did I miss something in the design or this patch worth merging?
>>> I've sent a more brutal patch in the past removing CONFIG_IPC_NS
>>> and CONFIG_UTS_NS. Might be a better idea ? 
>> In case namespaces do not produce performance loss - yes.
>>
>> By that patch I also wanted to note that we'd better make
>> all the other namespaces check for flags themselves, not
>> putting this in the generic code.
> 
> yep. let's fix that in the coming ones if they have config option.
> 
> a similar issue is the following check done in 
> unshare_nsproxy_namespaces() and copy_namespaces() :
> 
> 	if (!capable(CAP_SYS_ADMIN))
> 		return -EPERM;
> 
> it would be interesting to let the namespace handle the unshare 
> permissions. CAP_SYS_ADMIN shouldn't be required for all namespaces.
> ipc is one example.

Frankly, I think that some capability *is* required for
cloning the namespaces.

> 
> C.
> 

Thanks,
Pavel




More information about the Devel mailing list