Quoting Sukadev Bhattiprolu ([email protected]): > The process P1 that called fcntl(F_SETOWN) may have exited and hence > may not in the checkpoint-image. So during restart, some other process > will need to act for P1. Would requiring CAP_SETUID, like we do for > restoring creds be an overkill ?
Yeah I think CAP_SETUID is overkill. Yes, it's what would have been needed to cause the condition originally, but the only real implication is CAP_KILL. And since the application might have originally run with euid=1001 and suid=1002, done the fcntl, and then done setresuid(1002,1002,1002), CAP_SETUID may not have originaly been necessary (if I'm thinking straight). In any case, CAP_KILL is what you can do with the result, so I think that suffices. -serge _______________________________________________ Containers mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
