[lxc-users] unprivileged container + setcap not working
Serge E. Hallyn
serge at hallyn.com
Tue Jan 2 05:16:45 UTC 2018
On Mon, Dec 18, 2017 at 01:28:44AM +0000, Philip wrote:
> Yes, no need to set init_uid in this situation (unprivileged container +
> setcap),
> lxc.network.type = none --> CLONE_NEWNET is not set when clone --> when
> create raw socket, kernel cap_capable(), ns != cred->user_ns -->
> cap_raised() is not checked --> unprivileged testapp get EPERM error
> Does cap_capable() need to be patched for this case?
... if you're suggesting patching cap_capable() so that you get
CAP_NET_ADMIN or CAP_NET_RAW in that case, that's a bad idea,
since then any unpriv process can just clone a new userns to gain
privilege against the host's network ns.
More information about the lxc-users
mailing list