Re: LXC: capset fails with userns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

trusted.* xattrs are only for CAP_SYS_ADMIN

[host] # setfattr -n trusted.me.md5 -v
d41d8cd98f00b204e9800998ecf8427e xattr-test
[host] # getfattr -m - -d xattr-test
# file: xattr-test
trusted.me.md5="d41d8cd98f00b204e9800998ecf8427e"

[lxc] # getfattr -n trusted.me.md5 xattr-test
xattr-test: trusted.me.md5: No such attribute
[lxc] # strace -e trace=getxattr getfattr -n trusted.me.md5 xattr-test
getxattr("xattr-test", "trusted.me.md5", 0x0, 0) = -1 ENODATA (No data
available)
xattr-test: trusted.me.md5: No such attribute
+++ exited with 1 +++

maybe ENODATA is from here http://lxr.free-electrons.com/source/fs/xattr.c#L56

so the capable(CAP_SYS_ADMIN) check fails. and if this check fails the
check in cap_inode_setxattr()
http://lxr.free-electrons.com/source/security/commoncap.c#L620 will
also fail. but I don't know why. CAP_SYS_ADMIN is there

/stephan

-- 
Software is like sex, it's better when it's free!

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]