[Devel] Re: [patch 1/1][RFC] do not sys_reboot when not in init_pid_ns
Serge E. Hallyn
serue at us.ibm.com
Sun Nov 2 15:04:14 PST 2008
Quoting Daniel Hokka Zakrisson (daniel at hozac.com):
> Daniel Lezcano wrote:
> >
>
> Wouldn't it be better to simply remove CAP_SYS_BOOT from containers
> until sys_reboot emits some signal to userspace to restart/halt the
> container? (This is what we do in Linux-VServer.)
>
> --
> Daniel Hokka Zakrisson
Yeah that makes more sense to me.
Note that otherwise your patch still lets the container mess with
sys_kexec_load(), for instance.
-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list