Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user namespaces - and the following seemed doable. My main
motivations were (in order):
1. don't
Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user namespaces - and the following seemed doable. My main
motivations were (in order):
1. don't
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user namespaces - and the following seemed doable. My
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user namespaces - and the following seemed doable. My
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user namespaces - and the following seemed doable. My
Serge E. Hallyn se...@us.ibm.com writes:
But that's only if fred has CAP_KILL in a user namespace which is
ancestor to joe's process. Only fred's processes in a child
userns should have CAP_KILL.
Got it. What I don't see in your implementation is how you can kill a
child that is in it's own
Serge E. Hallyn se...@us.ibm.com writes:
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
So i was thinking about how to safely but incrementally introduce
targeted capabilities - which we decided was a prereq to making VFS
handle user
Serge E. Hallyn se...@us.ibm.com writes:
- Introduce ns_capable to test for a capability in a non-default
user namespace.
- Teach cap_capable to handle capabilities in a non-default
user namespace.
So yeah, I didn't address the whole has_capability junk. Feh.
That just fell out...
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
- Introduce ns_capable to test for a capability in a non-default
user namespace.
- Teach cap_capable to handle capabilities in a non-default
user namespace.
So yeah, I didn't address the
On Thu, 31 Dec 2009 00:10:50 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
This patch series implements support for building, loading, and
unloading subsystems as modules, both within and outside the kernel
source tree. It provides an interface cgroup_load_subsys() and
cgroup_unload_subsys()
Serge E. Hallyn se...@us.ibm.com writes:
Quoting Eric W. Biederman (ebied...@xmission.com):
Serge E. Hallyn se...@us.ibm.com writes:
- Introduce ns_capable to test for a capability in a non-default
user namespace.
- Teach cap_capable to handle capabilities in a non-default
user
On Mon, Dec 28, 2009 at 3:36 PM, Serge E. Hallyn se...@us.ibm.com wrote:
Quoting Daniel Lezcano (daniel.lezc...@free.fr):
The ns_cgroup is an annoying cgroup at the namespace / cgroup frontier.
True. However, it remains - apart from using smack or SELinux - the
only way to truly lock a
On Wed, Dec 30, 2009 at 7:57 AM, Kirill A. Shutemov
kir...@shutemov.name wrote:
This patch introduces write-only file cgroup.event_control in every
cgroup.
This looks like a nice generic API for doing event notifications - thanks!
Sorry I hadn't had a chance to review it before now, due to
On Wed, Jan 06, 2010 at 04:04:14PM -0800, Andrew Morton wrote:
On Thu, 31 Dec 2009 00:10:50 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
This patch series implements support for building, loading, and
unloading subsystems as modules, both within and outside the kernel
source tree. It
On Mon, Dec 28, 2009 at 3:04 PM, Daniel Lezcano daniel.lezc...@free.fr wrote:
This patch is sent as an answer to a previous thread around the ns_cgroup.
https://lists.linux-foundation.org/pipermail/containers/2009-June/018627.html
It adds a control file 'clone_children' for a cgroup.
This
On Wed, 6 Jan 2010 20:26:06 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
On Wed, Jan 06, 2010 at 04:04:14PM -0800, Andrew Morton wrote:
On Thu, 31 Dec 2009 00:10:50 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
This patch series implements support for building, loading, and
unloading
KAMEZAWA Hiroyuki wrote:
On Wed, 6 Jan 2010 20:26:06 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
On Wed, Jan 06, 2010 at 04:04:14PM -0800, Andrew Morton wrote:
On Thu, 31 Dec 2009 00:10:50 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
This patch series implements support for building,
On Thu, 07 Jan 2010 14:42:19 +0800
Li Zefan l...@cn.fujitsu.com wrote:
KAMEZAWA Hiroyuki wrote:
On Wed, 6 Jan 2010 20:26:06 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
On Wed, Jan 06, 2010 at 04:04:14PM -0800, Andrew Morton wrote:
On Thu, 31 Dec 2009 00:10:50 -0500
Ben Blum
On Thu, Jan 07, 2010 at 04:16:27PM +0900, KAMEZAWA Hiroyuki wrote:
On Thu, 07 Jan 2010 14:42:19 +0800
Li Zefan l...@cn.fujitsu.com wrote:
KAMEZAWA Hiroyuki wrote:
On Wed, 6 Jan 2010 20:26:06 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
On Wed, Jan 06, 2010 at 04:04:14PM -0800,
On Thu, 7 Jan 2010 02:48:12 -0500
Ben Blum bb...@andrew.cmu.edu wrote:
2. Making this to be reasonable value.
#define CGROUP_SUBSYS_COUNT (BITS_PER_BYTE*sizeof(unsigned long))
I can't find why.
We limit to this many since cgroupfs_root has subsys_bits to keep track
of all of them.
20 matches
Mail list logo