[libvirt] LXC: capset fails with userns

Stephan Sachse ste.sachse at gmail.com
Wed Feb 26 11:09:48 UTC 2014


> The capable() function only suceeds in the primary host namespace.
>
> The kernel uses  ns_capable() in cases where container namespaces
> are allowed to use capabilities.
>
> So this indicates that the kernel guys didn't believe it to be
> safe to allow use of the 'trusted' xattr namespace in containers.
>
> That said, I didn't think the 'trusted.' prefix was needed for
> package installation. It thought it used the 'security.' xattr
> prefix for file ACLs.

the trusted.* prefix was for testing, because it checks also at
reading the attributes.

security.capability is used for setcap

http://lxr.free-electrons.com/source/security/commoncap.c#L620

but it also use capable()

setfacl works fine

/stephan

-- 
Software is like sex, it's better when it's free!




More information about the libvir-list mailing list