
26 Feb
2014
26 Feb
'14
12:09 p.m.
The capable() function only suceeds in the primary host namespace.
The kernel uses ns_capable() in cases where container namespaces are allowed to use capabilities.
So this indicates that the kernel guys didn't believe it to be safe to allow use of the 'trusted' xattr namespace in containers.
That said, I didn't think the 'trusted.' prefix was needed for package installation. It thought it used the 'security.' xattr prefix for file ACLs.
the trusted.* prefix was for testing, because it checks also at reading the attributes. security.capability is used for setcap http://lxr.free-electrons.com/source/security/commoncap.c#L620 but it also use capable() setfacl works fine /stephan -- Software is like sex, it's better when it's free!