Hello, Serge. On Tue, Oct 04, 2016 at 03:18:40PM -0500, Serge E. Hallyn wrote: > how about changing the GLOBAL_ROOT_UID check with a targeted > capability check, like > > if (!ns_capable(tcred->user_ns, CAP_SYS_NICE) && > !uid_eq(cred->euid, tcred->uid) && > !uid_eq(cred->euid, tcred->suid)) > ret = -EACCES; > > where the actual capability to use may require some thought.
Yeah, that's the direction I'm thinking too. We can't use CAP_SYS_NICE in general tho. Let's see if a dedicated CAP sticks. Thanks. -- tejun
