[Devel] [PATCH] fs/locks: Make CAP_LEASE work in containers
Cyrill Gorcunov
gorcunov at virtuozzo.com
Fri Apr 29 07:17:48 PDT 2016
On Fri, Apr 29, 2016 at 04:48:09PM +0300, Konstantin Khorenko wrote:
> >>
> >>Allowing the privileged processes in the containers to set leases on
> >>arbitrary files seems to make no harm. Let us make CAP_LEASE work there.
> >>
> >>Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
> >Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
> >
> >There is one point which worries me a bit actually: ve_capable is
> >rather a check for creds in user-ns we created for container during
> >its startup. Do we prohibit creating new user-namespaces inside
> >container? If not -- we better should.
>
> After commit 59d3d058b80bf976126ff7cd4c6b429e3d7f6557
> we do allow to create user namespaces inside Containers.
> Why we better prohibit them?
ve-capable tests for creds in userns, while vanilla
uses plain capable() here which test for init namespace
only. which is a difference and i would like to make sure
it's safe here to use ve-capable. can one create nested
userns inside with same caps and drop the lease on this
file? Or I miss somehting?
More information about the Devel
mailing list