Serge Hallyn <serge.hal...@ubuntu.com> writes: > Quoting Stephan Sachse (ste.sac...@gmail.com): >> w/ userns: >> [root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping >> Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted) >> [root@fedora2 ~]# id >> uid=0(root) gid=0(root) groups=0(root) >> >> w/o userns: >> [root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping >> [root@fedora2 ~]# getcap /usr/bin/ping >> /usr/bin/ping = cap_net_admin,cap_net_raw+ep >> [root@fedora2 ~]# id >> uid=0(root) gid=0(root) groups=0(root) >> >> every yum install <pkg> where the pkg has file capabilities fails with
Which should be a very small handful of packages, or else there is a problem with your distro. >> Error unpacking rpm package <PKG> >> error: unpacking of archive failed on file <FILE>: cpio: cap_set_file >> >> is there a way to get this working? >> >> i have searched through >> https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/ >> but found nothing useful for my problem > > Look at security/commoncap.c:cap_inode_setxattr() > > Whereas file ownership is properly namespaced, and task capabilities > are properly namespaced, file capabilities are more problematic. To > support this, I think we'd need a new capability xattr format. If we > add the kuid_t of the user_namespace root id, I think we could safely > support this. Agreed. That does sound like a workable way to handle this, and it appears no worse than supporting setuid/setgid to than supporting setuid/setgid to that user. We could also allow this for filesystems mounted in the current user namespace but that is another piece of work on the wish list that hasn't been implemented so it really doesn't help with this problem. And Serge I heartily agree with your nak of the proposed patch. Eric _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
