[Devel] Re: [RFC][v8][PATCH 3/10]: Make pid_max a pid_ns property
Pavel Emelyanov
xemul at openvz.org
Tue Oct 13 09:10:30 PDT 2009
> This patch isn't a core part of the clone_with_pid functionality,
> just something Eric has asked for. So I don't object to dropping
> it. But I disagree with Alexey's claim that this isn't a namespace
> property. It should be.
OK
>> frankly I don't see the reason for doing so. Why should we?
>> Especially taking into account, that we essentially cannot
>> change thin in the namespace level 3 and deeper?
>
> What do you mean by that? With this patchset we're not, it's
> true, but we trivially can - even now, userspace can simply not
> give the container CAP_SYS_ADMIN or write access to the sysctl
> so they can't do any more CLONE_NEWPIDS or change the sysctl.
It's a misprint - I meant "level 2 and deeper". Sysctl is
only pointing at the init_pid_ns variable.
> -serge
>
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list