Michael Biebl wrote: > - CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit > on the number of open files, in system calls that open files (e.g. > accept execve), use of setns(),...
I realize that you can't lock down things upstream still requires, but CAP_SYS_ADMIN is root-equivalent and probably always will be. This would be top on the list of capabilities to try to get upstream to provide a way to do without.
