Quoting Stephan Sachse (ste.sac...@gmail.com): > w/ userns: > [root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping > Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted) > [root@fedora2 ~]# id > uid=0(root) gid=0(root) groups=0(root) > > w/o userns: > [root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping > [root@fedora2 ~]# getcap /usr/bin/ping > /usr/bin/ping = cap_net_admin,cap_net_raw+ep > [root@fedora2 ~]# id > uid=0(root) gid=0(root) groups=0(root) > > every yum install <pkg> where the pkg has file capabilities fails with > > Error unpacking rpm package <PKG> > error: unpacking of archive failed on file <FILE>: cpio: cap_set_file > > is there a way to get this working? > > i have searched through > https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/ > but found nothing useful for my problem
Look at security/commoncap.c:cap_inode_setxattr() Whereas file ownership is properly namespaced, and task capabilities are properly namespaced, file capabilities are more problematic. To support this, I think we'd need a new capability xattr format. If we add the kuid_t of the user_namespace root id, I think we could safely support this. -serge _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
