[Devel] [PATCH] fs/locks: Make CAP_LEASE work in containers
Cyrill Gorcunov
gorcunov at virtuozzo.com
Thu May 5 22:23:26 PDT 2016
On Thu, May 05, 2016 at 05:23:36PM -0700, Andrey Vagin wrote:
> On Tue, Apr 26, 2016 at 12:36:12PM +0300, Cyrill Gorcunov wrote:
> > On Mon, Apr 25, 2016 at 06:22:10PM +0300, Evgenii Shatokhin wrote:
> > > https://jira.sw.ru/browse/PSBM-46199
> > >
> > > Allowing the privileged processes in the containers to set leases on
> > > arbitrary files seems to make no harm. Let us make CAP_LEASE work there.
> > >
> > > Signed-off-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
> > Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
> >
> > There is one point which worries me a bit actually: ve_capable is
> > rather a check for creds in user-ns we created for container during
> > its startup. Do we prohibit creating new user-namespaces inside
> > container? If not -- we better should.
>
> ve_capable grabs user_ns from ve_struct, so it should be sage to allow
> creating user namespaces in a container.
Already resolved ;)
Cyrill
More information about the Devel
mailing list