[lxc-devel] capset fails with userns

Stephan Sachse ste.sachse at gmail.com
Wed Feb 26 10:36:23 UTC 2014


trusted.* xattrs are only for CAP_SYS_ADMIN

[host] # setfattr -n trusted.me.md5 -v
d41d8cd98f00b204e9800998ecf8427e xattr-test
[host] # getfattr -m - -d xattr-test
# file: xattr-test
trusted.me.md5="d41d8cd98f00b204e9800998ecf8427e"

[lxc] # getfattr -n trusted.me.md5 xattr-test
xattr-test: trusted.me.md5: No such attribute
[lxc] # strace -e trace=getxattr getfattr -n trusted.me.md5 xattr-test
getxattr("xattr-test", "trusted.me.md5", 0x0, 0) = -1 ENODATA (No data
available)
xattr-test: trusted.me.md5: No such attribute
+++ exited with 1 +++

maybe ENODATA is from here http://lxr.free-electrons.com/source/fs/xattr.c#L56

so the capable(CAP_SYS_ADMIN) check fails. and if this check fails the
check in cap_inode_setxattr()
http://lxr.free-electrons.com/source/security/commoncap.c#L620 will
also fail. but I don't know why. CAP_SYS_ADMIN is there

/stephan

-- 
Software is like sex, it's better when it's free!


More information about the lxc-devel mailing list