[Devel] [PATCH rh7] user_ns: Enable USER_NS /proc/$pid/ns/user link

Andrew Vagin avagin at odin.com
Thu Oct 8 02:07:51 PDT 2015


On Tue, Oct 06, 2015 at 01:15:38PM +0300, Kirill Tkhai wrote:
> Since we use user_ns inside a CT, vzctl should have
> a possibility to enter a VE using it's init_cred->user_ns.
> 
> setns is allowed for a tasks who are CAP_SYSADMIN in the ns,
> i.e. a task from a parent user_ns, but vice versa is not true.
> So this should be safe.

Acked-by: Kirill Tkhai <ktkhai at odin.com>

> 
> Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
> ---
>  fs/proc/namespaces.c |    3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
> index ec7e269..54bdc67 100644
> --- a/fs/proc/namespaces.c
> +++ b/fs/proc/namespaces.c
> @@ -28,8 +28,7 @@ static const struct proc_ns_operations *ns_entries[] = {
>  #ifdef CONFIG_PID_NS
>  	&pidns_operations,
>  #endif
> -/* Currently disabled in RHEL */
> -#if 0
> +#ifdef CONFIG_USER_NS
>  	&userns_operations,
>  #endif
>  	&mntns_operations,
> 



More information about the Devel mailing list