[libvirt] LXC: capset fails with userns
Stephan Sachse
ste.sachse at gmail.com
Wed Feb 26 11:09:48 UTC 2014
> The capable() function only suceeds in the primary host namespace.
>
> The kernel uses ns_capable() in cases where container namespaces
> are allowed to use capabilities.
>
> So this indicates that the kernel guys didn't believe it to be
> safe to allow use of the 'trusted' xattr namespace in containers.
>
> That said, I didn't think the 'trusted.' prefix was needed for
> package installation. It thought it used the 'security.' xattr
> prefix for file ACLs.
the trusted.* prefix was for testing, because it checks also at
reading the attributes.
security.capability is used for setcap
http://lxr.free-electrons.com/source/security/commoncap.c#L620
but it also use capable()
setfacl works fine
/stephan
--
Software is like sex, it's better when it's free!
More information about the libvir-list
mailing list