[Devel] Re: [PATCH 1/1] RFC: taking a crack at targeted capabilities

Eric W. Biederman ebiederm at xmission.com
Wed Jan 6 13:11:19 PST 2010


"Serge E. Hallyn" <serue at us.ibm.com> writes:

>> - Introduce ns_capable to test for a capability in a non-default
>>   user namespace.
>> - Teach cap_capable to handle capabilities in a non-default
>>   user namespace.
>
> So yeah, I didn't address the whole has_capability junk.  Feh.

That just fell out...

> So do you intend to tag all namespaces with the userns which
> created it?  So sys_hostname() can check utsname->uts_ns->creator,
> and net ioctl SIOCSIFNAME checks struct net->creator?

That is the plan.  Add a creator/usernamespace as part of the patches
to support creating a new namespace without the global CAP_SYS_ADMIN.

Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list