In k.org. 3.7 would work. 3.8-rcX would work even better.With recent changes this is tied to the initial user namespace. So theI'm not sure I follow. Are these changes in k.org, or in another
simple solution to this and so many other similiar security problems is
to run your container in a user namespace.
The permission check currently is capable(CAP_SYS_ADMIN) which requires
the caller to have the CAP_SYS_ADMIN in the initial user namespace.
repository someplace?
root in a user namespace does not have permission to call TIOCCONS.