[lxc-devel] capset fails with userns

Serge Hallyn serge.hallyn at ubuntu.com
Wed Feb 26 14:46:55 UTC 2014


Quoting Stephan Sachse (ste.sachse at gmail.com):
> w/ userns:
> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
> [root at fedora2 ~]# id
> uid=0(root) gid=0(root) groups=0(root)
> 
> w/o userns:
> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> [root at fedora2 ~]# getcap /usr/bin/ping
> /usr/bin/ping = cap_net_admin,cap_net_raw+ep
> [root at fedora2 ~]# id
> uid=0(root) gid=0(root) groups=0(root)
> 
> every yum install <pkg> where the pkg has file capabilities fails with
> 
> Error unpacking rpm package <PKG>
> error: unpacking of archive failed on file <FILE>: cpio: cap_set_file
> 
> is there a way to get this working?
> 
> i have searched through
> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/
> but found nothing useful for my problem

Look at security/commoncap.c:cap_inode_setxattr()

Whereas file ownership is properly namespaced, and task capabilities
are properly namespaced, file capabilities are more problematic.  To
support this, I think we'd need a new capability xattr format.  If we
add the kuid_t of the user_namespace root id, I think we could safely
support this.

-serge


More information about the lxc-devel mailing list