On Fri, Jul 10, 2020 at 11:51:55AM -0700, Kees Cook wrote: > Running the seccomp tests as a regular user shouldn't just fail tests > that require CAP_SYS_ADMIN (for getting a PID namespace). Instead, > detect those cases and SKIP them.
But if we unshare NEWUSER at the same time as NEWPID, shouldn't we always be ns_capable(CAP_SYS_ADMIN)? Tycho
