Re: [Devel] [PATCH rh7] user_ns: Enable USER_NS /proc/$pid/ns/user link

On Tue, Oct 06, 2015 at 01:15:38PM +0300, Kirill Tkhai wrote: > Since we use user_ns inside a CT, vzctl should have > a possibility to enter a VE using it's init_cred->user_ns. > > setns is allowed for a tasks who are CAP_SYSADMIN in the ns, > i.e. a task from a parent user_ns, but vice versa is

Re: [Devel] [PATCH rh7] user_ns: Enable USER_NS /proc/$pid/ns/user link

Andrey, please review. -- Best regards, Konstantin Khorenko, Virtuozzo Linux Kernel Team On 10/06/2015 01:15 PM, Kirill Tkhai wrote: Since we use user_ns inside a CT, vzctl should have a possibility to enter a VE using it's init_cred->user_ns. setns is allowed for a tasks who are

Re: [Devel] [PATCH rh7] user_ns: Enable USER_NS /proc/$pid/ns/user link

2015-10-08 12:07 GMT+03:00 Andrew Vagin : > On Tue, Oct 06, 2015 at 01:15:38PM +0300, Kirill Tkhai wrote: >> Since we use user_ns inside a CT, vzctl should have >> a possibility to enter a VE using it's init_cred->user_ns. >> >> setns is allowed for a tasks who are CAP_SYSADMIN in

[Devel] [PATCH rh7] user_ns: Enable USER_NS /proc/$pid/ns/user link

Since we use user_ns inside a CT, vzctl should have a possibility to enter a VE using it's init_cred->user_ns. setns is allowed for a tasks who are CAP_SYSADMIN in the ns, i.e. a task from a parent user_ns, but vice versa is not true. So this should be safe. Signed-off-by: Kirill Tkhai