On Tue, Oct 06, 2015 at 01:15:38PM +0300, Kirill Tkhai wrote:
> Since we use user_ns inside a CT, vzctl should have
> a possibility to enter a VE using it's init_cred->user_ns.
>
> setns is allowed for a tasks who are CAP_SYSADMIN in the ns,
> i.e. a task from a parent user_ns, but vice versa is
Andrey, please review.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 10/06/2015 01:15 PM, Kirill Tkhai wrote:
Since we use user_ns inside a CT, vzctl should have
a possibility to enter a VE using it's init_cred->user_ns.
setns is allowed for a tasks who are
2015-10-08 12:07 GMT+03:00 Andrew Vagin :
> On Tue, Oct 06, 2015 at 01:15:38PM +0300, Kirill Tkhai wrote:
>> Since we use user_ns inside a CT, vzctl should have
>> a possibility to enter a VE using it's init_cred->user_ns.
>>
>> setns is allowed for a tasks who are CAP_SYSADMIN in
Since we use user_ns inside a CT, vzctl should have
a possibility to enter a VE using it's init_cred->user_ns.
setns is allowed for a tasks who are CAP_SYSADMIN in the ns,
i.e. a task from a parent user_ns, but vice versa is not true.
So this should be safe.
Signed-off-by: Kirill Tkhai