"Serge E. Hallyn" <se...@us.ibm.com> writes: > But that's only if fred has CAP_KILL in a user namespace which is > ancestor to joe's process. Only fred's processes in a child > userns should have CAP_KILL.
Got it. What I don't see in your implementation is how you can kill a child that is in it's own user namespace if you don't have CAP_KILL. >> Which matters because we can set the hostname through /proc/sys.... > > Oh, right. However, utsname doesn't have a creator, and we won't always > want to use user namespaces to authorize. For instance, for CAP_NET_ADMIN > we'll want to compare the net_ns. That's why I had the switch inside > capable_to() based on ns type. I disagree. For CAP_NET_ADMIN we will want to do: ns_capable(net->userns, CAP_NET_ADMIN); Network namespaces do not have a hierarchy so I don't see how they would be useful in this context. When we add an unprivileged unshare it is trivial to capture either the creator or at least the creators user namespace. Giving us a usernamespace to compare against. Eric _______________________________________________ Containers mailing list contain...@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list Devel@openvz.org https://openvz.org/mailman/listinfo/devel
