Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

Quoting Marian Marinov (m...@1h.com): > On 04/30/2014 01:02 AM, Serge Hallyn wrote: > >Quoting Marian Marinov (m...@1h.com): > >>On 04/29/2014 09:52 PM, Serge Hallyn wrote: > >>>Quoting Theodore Ts'o (ty...@mit.edu): > On Tue, Apr 29, 2014 at 04:49:14PM +0300, Marian Marinov wrote: > > > >>

Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

Quoting Marian Marinov (m...@1h.com): > On 04/29/2014 09:52 PM, Serge Hallyn wrote: > >Quoting Theodore Ts'o (ty...@mit.edu): > >>On Tue, Apr 29, 2014 at 04:49:14PM +0300, Marian Marinov wrote: > >>> > >>>I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE) > >>>check with ns_

[lxc-devel] [PATCH] lxc-oracle: fix warnings/errors from some rpm scriptlets

- Some scriptlets expect fstab to exist so create it before doing the yum install - Set the rootfs selinux label same as the hosts or else the PREIN script from initscripts will fail when running groupadd utmp, which prevents creation of OL4.x containers on hosts > OL6.x. - Move creation of

[lxc-devel] [lxc/lxc] 773bd2: apparmor: allow writes to sem* and msg* sysctls

Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 773bd28258371ad0058ff946c5cf94419920ffdd https://github.com/lxc/lxc/commit/773bd28258371ad0058ff946c5cf94419920ffdd Author: Serge Hallyn Date: 2014-04-29 (Tue, 29 Apr 2014) Changed paths: M config/apparmo

Re: [lxc-devel] [PATCH 1/1] apparmor: allow writes to sem* and msg* sysctls

Works here, thanks! - Dan On Tue, Apr 29, 2014 at 2:13 PM, Stéphane Graber wrote: > On Tue, Apr 29, 2014 at 08:02:32PM +, Serge Hallyn wrote: >> /proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls >> which are properly namespaced. Allow writes to them from >> containers. >> >> Re

Re: [lxc-devel] [PATCH 1/1] apparmor: allow writes to sem* and msg* sysctls

On Tue, Apr 29, 2014 at 08:02:32PM +, Serge Hallyn wrote: > /proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls > which are properly namespaced. Allow writes to them from > containers. > > Reported-by: Dan Kegel > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- >

[lxc-devel] [PATCH 1/1] apparmor: allow writes to sem* and msg* sysctls

/proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls which are properly namespaced. Allow writes to them from containers. Reported-by: Dan Kegel Signed-off-by: Serge Hallyn --- config/apparmor/abstractions/container-base | 9 +++-- config/apparmor/container-rules | 9

Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

On Tue, Apr 29, 2014 at 04:49:14PM +0300, Marian Marinov wrote: > > I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE) > check with ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE). Um, wouldn't it be better to simply fix the capable() function? /** * capable - D

Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

On 04/29/2014 06:49 AM, Marian Marinov wrote: > Hello, > when using user namespaces I found a bug in the capability checks done > by ioctl. > > If someone tries to use chattr +i while in a different user namespace it > will get the following: > > ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -

Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

Quoting Theodore Ts'o (ty...@mit.edu): > On Tue, Apr 29, 2014 at 04:49:14PM +0300, Marian Marinov wrote: > > > > I'm proposing a fix to this, by replacing the capable(CAP_LINUX_IMMUTABLE) > > check with ns_capable(current_cred()->user_ns, CAP_LINUX_IMMUTABLE). > > Um, wouldn't it be better to sim

[lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

Hello, when using user namespaces I found a bug in the capability checks done by ioctl. If someone tries to use chattr +i while in a different user namespace it will get the following: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -1 EPERM (Operation not permitted) I'm proposing a fix to this,