[Devel] [PATCH] fs/locks: Make CAP_LEASE work in containers
Cyrill Gorcunov
gorcunov at virtuozzo.com
Tue Apr 26 02:36:12 PDT 2016
On Mon, Apr 25, 2016 at 06:22:10PM +0300, Evgenii Shatokhin wrote:
> https://jira.sw.ru/browse/PSBM-46199
>
> Allowing the privileged processes in the containers to set leases on
> arbitrary files seems to make no harm. Let us make CAP_LEASE work there.
>
> Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
There is one point which worries me a bit actually: ve_capable is
rather a check for creds in user-ns we created for container during
its startup. Do we prohibit creating new user-namespaces inside
container? If not -- we better should.
More information about the Devel
mailing list