[Devel] [PATCH] fs/locks: Make CAP_LEASE work in containers
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Apr 29 06:48:09 PDT 2016
On 04/26/2016 12:36 PM, Cyrill Gorcunov wrote:
> On Mon, Apr 25, 2016 at 06:22:10PM +0300, Evgenii Shatokhin wrote:
>> https://jira.sw.ru/browse/PSBM-46199
>>
>> Allowing the privileged processes in the containers to set leases on
>> arbitrary files seems to make no harm. Let us make CAP_LEASE work there.
>>
>> Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
> Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
>
> There is one point which worries me a bit actually: ve_capable is
> rather a check for creds in user-ns we created for container during
> its startup. Do we prohibit creating new user-namespaces inside
> container? If not -- we better should.
After commit 59d3d058b80bf976126ff7cd4c6b429e3d7f6557
we do allow to create user namespaces inside Containers.
Why we better prohibit them?
More information about the Devel
mailing list