Quoting Stephan Sachse (ste.sachse@gmail.com):

...

Look at security/commoncap.c:cap_inode_setxattr()

Whereas file ownership is properly namespaced, and task capabilities are properly namespaced, file capabilities are more problematic. To support this, I think we'd need a new capability xattr format. If we add the kuid_t of the user_namespace root id, I think we could safely support this.

sorry for this :) but i'm not a kernel/c programmer.

No no, thanks for raising the issue, and thanks for having sent a patch!

maybe there must be more then one cap set per file.

security.capability for the init_ns security.capability.{kuid_t} for the userns

the name of the xattr must be transparently mapped.

in userns for get*() if there is no security.capability.{kuid_t} use the security.capability. but never write to security.capability always to security.capability.{kuid_t}

or the format of security.capability must be changed to support more then one set of caps. every capability set must be associated with a kuid_t.

To avoid impacting the performance of the host case, we could keep the current XATTR_NAME_CAPS format in init_user_ns, and add a new XATTR_NAME_CAPS_V2 which adds the kuid_t.

back to line one of my mail: i'm not a kernel/c programmer :'(

This frankly looks like fun, but I won't have time to work on this this week. If anyone else does, I'll happily look at the patches. thanks, -serge