Haven't looked closely enough yet, but a few comments: 1. mount/umount make up a lot of the privileged calls, and at some point these will hopefully be supported unprivileged (at least for bind mounts).
2. one nice bonus of this is that we can easily spot where priv is expected to be used 3. instead of keeping caps in pP and raising in pE when needed, a more privilege-separated approach could be used, where you have small privileged helpers which are called by the unprivileged main program. In this case, lxc-start would clear out both pP and pE, but keep caps in pI. Then, little helpers like lxc-destroy-cgroup would have fP=fE=empty and fI=<some_set> where some_set has just the caps it needs to do its job. Then if any normal user calls lxc-destroy-cgroup, it'll run with no privs, but when lxc-start calls it with pI=full, then lxc-destroy-cgroup will run with pP = (intersection of lxc-start's pI and lxc-destroy-cgroup's fI). It can then move bits from pP to pE when needed (or just have fE=fI to have pE auto-filled). -serge ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
