[Devel] Re: [PATCH 1/1] RFC: taking a crack at targeted capabilities
Eric W. Biederman
ebiederm at xmission.com
Wed Jan 6 13:11:19 PST 2010
"Serge E. Hallyn" <serue at us.ibm.com> writes:
>> - Introduce ns_capable to test for a capability in a non-default
>> user namespace.
>> - Teach cap_capable to handle capabilities in a non-default
>> user namespace.
>
> So yeah, I didn't address the whole has_capability junk. Feh.
That just fell out...
> So do you intend to tag all namespaces with the userns which
> created it? So sys_hostname() can check utsname->uts_ns->creator,
> and net ioctl SIOCSIFNAME checks struct net->creator?
That is the plan. Add a creator/usernamespace as part of the patches
to support creating a new namespace without the global CAP_SYS_ADMIN.
Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list