trusted.* xattrs are only for CAP_SYS_ADMIN
[host] # setfattr -n trusted.me.md5 -v
d41d8cd98f00b204e9800998ecf8427e xattr-test
[host] # getfattr -m - -d xattr-test
# file: xattr-test
trusted.me.md5=d41d8cd98f00b204e9800998ecf8427e
[lxc] # getfattr -n trusted.me.md5 xattr-test
xattr-test:
On Wed, Feb 26, 2014 at 11:38:08AM +0100, Stephan Sachse wrote:
trusted.* xattrs are only for CAP_SYS_ADMIN
[host] # setfattr -n trusted.me.md5 -v
d41d8cd98f00b204e9800998ecf8427e xattr-test
[host] # getfattr -m - -d xattr-test
# file: xattr-test
The capable() function only suceeds in the primary host namespace.
The kernel uses ns_capable() in cases where container namespaces
are allowed to use capabilities.
So this indicates that the kernel guys didn't believe it to be
safe to allow use of the 'trusted' xattr namespace in
for me there is no valid reason why a container is not allowed to set
file capabilities.
and here is the patch (send to Eric W. Biederman ebied...@xmission.com)
works for me
--
Software is like sex, it's better when it's free!
Subject: [PATCH] capability: allow setxattr within userns
a lxc
Quoting Stephan Sachse (ste.sac...@gmail.com):
for me there is no valid reason why a container is not allowed to set
file capabilities.
(For the sake of the libvir-list, I replied to this on the lxc-devel@
list with a proposal that should work; but this particular patch is
not safe, as nothing
On Wed, Feb 26, 2014 at 08:54:02AM -0600, Serge Hallyn wrote:
Quoting Stephan Sachse (ste.sac...@gmail.com):
for me there is no valid reason why a container is not allowed to set
file capabilities.
(For the sake of the libvir-list, I replied to this on the lxc-devel@
list with a proposal
w/ userns:
[root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
[root@fedora2 ~]# id
uid=0(root) gid=0(root) groups=0(root)
w/o userns:
[root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep'
Can you check /proc/self/status to see the capabilities mask
you have.
[root@fedora2 ~]# cat /proc/self/status | grep ^Cap
CapInh:
CapPrm: 001db5fe
CapEff: 001db5fe
CapBnd: 001db5fe
[root@fedora2 ~]# capsh --print
Current: =ep
On Tue, Feb 25, 2014 at 04:50:47PM +0100, Stephan Sachse wrote:
w/ userns:
[root@fedora2 ~]# setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
Failed to set capabilities on file `/usr/bin/ping' (Operation not permitted)
[root@fedora2 ~]# id
uid=0(root) gid=0(root) groups=0(root)
Can you