[Devel] [PATCH] fs/locks: Make CAP_LEASE work in containers
Cyrill Gorcunov
gorcunov at virtuozzo.com
Fri Apr 29 08:19:56 PDT 2016
On Fri, Apr 29, 2016 at 05:17:48PM +0300, Cyrill Gorcunov wrote:
> > After commit 59d3d058b80bf976126ff7cd4c6b429e3d7f6557
> > we do allow to create user namespaces inside Containers.
> > Why we better prohibit them?
>
> ve-capable tests for creds in userns, while vanilla
> uses plain capable() here which test for init namespace
> only. which is a difference and i would like to make sure
> it's safe here to use ve-capable. can one create nested
> userns inside with same caps and drop the lease on this
> file? Or I miss somehting?
Sorry, false alarm, we check for toplevel userns in ve_capable,
so everything is safe.
Cyrill
More information about the Devel
mailing list