[lxc-devel] capset fails with userns
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Feb 26 14:46:55 UTC 2014
Quoting Stephan Sachse (ste.sachse at gmail.com):
> w/ userns:
> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
> [root at fedora2 ~]# id
> uid=0(root) gid=0(root) groups=0(root)
>
> w/o userns:
> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
> [root at fedora2 ~]# getcap /usr/bin/ping
> /usr/bin/ping = cap_net_admin,cap_net_raw+ep
> [root at fedora2 ~]# id
> uid=0(root) gid=0(root) groups=0(root)
>
> every yum install <pkg> where the pkg has file capabilities fails with
>
> Error unpacking rpm package <PKG>
> error: unpacking of archive failed on file <FILE>: cpio: cap_set_file
>
> is there a way to get this working?
>
> i have searched through
> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/
> but found nothing useful for my problem
Look at security/commoncap.c:cap_inode_setxattr()
Whereas file ownership is properly namespaced, and task capabilities
are properly namespaced, file capabilities are more problematic. To
support this, I think we'd need a new capability xattr format. If we
add the kuid_t of the user_namespace root id, I think we could safely
support this.
-serge
More information about the lxc-devel
mailing list