[lxc-devel] capset fails with userns
Stephan Sachse
ste.sachse at gmail.com
Wed Feb 26 16:45:16 UTC 2014
> Look at security/commoncap.c:cap_inode_setxattr()
>
> Whereas file ownership is properly namespaced, and task capabilities
> are properly namespaced, file capabilities are more problematic. To
> support this, I think we'd need a new capability xattr format. If we
> add the kuid_t of the user_namespace root id, I think we could safely
> support this.
sorry for this :) but i'm not a kernel/c programmer.
maybe there must be more then one cap set per file.
security.capability for the init_ns
security.capability.{kuid_t} for the userns
the name of the xattr must be transparently mapped.
in userns for get*() if there is no security.capability.{kuid_t} use
the security.capability. but never write to security.capability always
to security.capability.{kuid_t}
or the format of security.capability must be changed to support more
then one set of caps. every capability set must be associated with a
kuid_t.
back to line one of my mail: i'm not a kernel/c programmer :'(
/stephan
--
Software is like sex, it's better when it's free!
More information about the lxc-devel
mailing list