[LTP] [PATCH v2] Confirming EPERM is returned when CAP_SYS_ADMIN is removed from clone3. Signed-off-by: Stephen Bertram <sbertram@redhat.com>
Li Wang
liwang@redhat.com
Wed Nov 12 11:34:23 CET 2025
Hi Stephen,
According to the clone3() manual page:
"EPERM CLONE_NEWCGROUP, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS,
CLONE_NEWPID, or CLONE_NEWUTS was specified by an unprivileged process
(process without CAP_SYS_ADMIN).
EPERM (clone3() only)
set_tid_size was greater than zero, and the caller lacks the
CAP_SYS_ADMIN capability in one or more of the user namespaces that own the
corresponding PID namespaces."
Shouldn't we separately test both? In your test, we don't know the EPERM
comes from "set_tid_size>0" (or CLONE_NEW*) with no CAP_SYS_ADMIN.
--
Regards,
Li Wang
More information about the ltp
mailing list