[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] LXC: capset fails with userns



> The capable() function only suceeds in the primary host namespace.
>
> The kernel uses  ns_capable() in cases where container namespaces
> are allowed to use capabilities.
>
> So this indicates that the kernel guys didn't believe it to be
> safe to allow use of the 'trusted' xattr namespace in containers.
>
> That said, I didn't think the 'trusted.' prefix was needed for
> package installation. It thought it used the 'security.' xattr
> prefix for file ACLs.

the trusted.* prefix was for testing, because it checks also at
reading the attributes.

security.capability is used for setcap

http://lxr.free-electrons.com/source/security/commoncap.c#L620

but it also use capable()

setfacl works fine

/stephan

-- 
Software is like sex, it's better when it's free!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]