[lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace
Andy Lutomirski
luto at amacapital.net
Tue Apr 29 18:37:20 UTC 2014
On 04/29/2014 06:49 AM, Marian Marinov wrote:
> Hello,
> when using user namespaces I found a bug in the capability checks done
> by ioctl.
>
> If someone tries to use chattr +i while in a different user namespace it
> will get the following:
>
> ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -1 EPERM (Operation not
> permitted)
NAK. This is correct: you don't want users to be able to
unshare(CLONE_NEWUSER) and then start playing with the immutable bit.
--Andy
More information about the lxc-devel
mailing list