Am 13.06.2013 20:02, schrieb Richard Weinberger:
Dropping capabilities within a user namespace makes no sense because any uid 0 process will regain all caps upon execve(). Signed-off-by: Richard Weinberger <richard@xxxxxx>
BTW: This one solves also a funny systemd issue. systemd reads from /proc/1/environ to detect whether it runs with in LXC or not. If we change the capability set (it does not matter which cap we drop), uid 0/pid 1 is no longer allowed to read from that file. If have to admit that I don't fully understand what kind of user namespace/capability horror is going on. (Currently reading kernel sources to find out.) But if pid 1 execve's anything else it regains fresh capability set and is allowed to read /proc/1/environ. This is way <init>/sbin/init</init> did not work for me. If I use a simply bash wrapper as init which execve's systemd it works fine... Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list