Re: [libvirt] LXC: capset fails with userns

trusted.* xattrs are only for CAP_SYS_ADMIN [host] # setfattr -n trusted.me.md5 -v d41d8cd98f00b204e9800998ecf8427e xattr-test [host] # getfattr -m - -d xattr-test # file: xattr-test trusted.me.md5="d41d8cd98f00b204e9800998ecf8427e" [lxc] # getfattr -n trusted.me.md5 xattr-test xattr-test: trusted.me.md5: No such attribute [lxc] # strace -e trace=getxattr getfattr -n trusted.me.md5 xattr-test getxattr("xattr-test", "trusted.me.md5", 0x0, 0) = -1 ENODATA (No data available) xattr-test: trusted.me.md5: No such attribute +++ exited with 1 +++ maybe ENODATA is from here http://lxr.free-electrons.com/source/fs/xattr.c#L56 so the capable(CAP_SYS_ADMIN) check fails. and if this check fails the check in cap_inode_setxattr() http://lxr.free-electrons.com/source/security/commoncap.c#L620 will also fail. but I don't know why. CAP_SYS_ADMIN is there /stephan -- Software is like sex, it's better when it's free!