在我们评测华为「二合一」产品 MatePad Edge 时,编辑部那些伴随着平板长大的年轻同事,虽然 80% 的工作时间都在用键鼠,但也会自然地经常伸手点击屏幕,甚至换回 MacBook 后还有点不太习惯。
If you enable --privileged just to get CAP_SYS_ADMIN for nested process isolation, you have added one layer (nested process visibility) while removing several others (seccomp, all capability restrictions, device isolation). The net effect is arguably weaker isolation than a standard unprivileged container. This is a real trade-off that shows up in production. The ideal solutions are either to grant only the specific capability needed instead of all of them, or to use a different isolation approach entirely that does not require host-level privileges.
,推荐阅读WPS官方版本下载获取更多信息
Фото: Arafat Barbakh / Reuters
Follow topics & set alerts with myFT
Less than: Every domino half in this space must add up to less than the number.