Re: [libvirt] LXC: capset fails with userns

Wednesday, 26 February 2014

...
 The capable() function only suceeds in the primary host namespace.

 The kernel uses  ns_capable() in cases where container namespaces
 are allowed to use capabilities.

 So this indicates that the kernel guys didn't believe it to be
 safe to allow use of the 'trusted' xattr namespace in containers.

 That said, I didn't think the 'trusted.' prefix was needed for
 package installation. It thought it used the 'security.' xattr
 prefix for file ACLs. 
the trusted.* prefix was for testing, because it checks also at
reading the attributes.

security.capability is used for setcap

http://lxr.free-electrons.com/source/security/commoncap.c#L620

but it also use capable()

setfacl works fine

/stephan

-- 
Software is like sex, it's better when it's free!

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] LXC: capset fails with userns