[lxc-devel] capset fails with userns

[Eric W. Biederman]

Serge Hallyn <serge.hallyn at ubuntu.com> writes:

> Quoting Stephan Sachse (ste.sachse at gmail.com):
>> w/ userns:
>> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
>> Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
>> [root at fedora2 ~]# id
>> uid=0(root) gid=0(root) groups=0(root)
>> 
>> w/o userns:
>> [root at fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
>> [root at fedora2 ~]# getcap /usr/bin/ping
>> /usr/bin/ping = cap_net_admin,cap_net_raw+ep
>> [root at fedora2 ~]# id
>> uid=0(root) gid=0(root) groups=0(root)
>> 
>> every yum install <pkg> where the pkg has file capabilities fails with

Which should be a very small handful of packages, or else there is a
problem with your distro.

>> Error unpacking rpm package <PKG>
>> error: unpacking of archive failed on file <FILE>: cpio: cap_set_file
>> 
>> is there a way to get this working?
>> 
>> i have searched through
>> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/
>> but found nothing useful for my problem
>
> Look at security/commoncap.c:cap_inode_setxattr()
>
> Whereas file ownership is properly namespaced, and task capabilities
> are properly namespaced, file capabilities are more problematic.  To
> support this, I think we'd need a new capability xattr format.  If we
> add the kuid_t of the user_namespace root id, I think we could safely
> support this.

Agreed.  That does sound like a workable way to handle this, and it appears
no worse than supporting setuid/setgid to than supporting setuid/setgid
to that user.

We could also allow this for filesystems mounted in the current user
namespace but that is another piece of work on the wish list that hasn't
been implemented so it really doesn't help with this problem.

And Serge I heartily agree with your nak of the proposed patch.

Eric