for me there is no valid reason why a container is not allowed to set
file capabilities.
and here is the patch (send to Eric W. Biederman <ebiederm@xxxxxxxxxxxx>)
works for me
--
Software is like sex, it's better when it's free!
Subject: [PATCH] capability: allow setxattr within userns
a lxc container with user namespace enabled can not set file capabilities.
every yum install <pkg> where the pkg has file capabilities fails with
Error unpacking rpm package <PKG>
error: unpacking of archive failed on file <FILE>: cpio: cap_set_file
for me there is no valid reason why a container is not allowed to set
file capabilities
Signed-off-by: Stephan Sachse <sachse@xxxxxxxxx>
---
security/commoncap.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index b9d613e..9efdbef 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -621,14 +621,14 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
if (!strcmp(name, XATTR_NAME_CAPS)) {
- if (!capable(CAP_SETFCAP))
+ if (!ns_capable(current_user_ns(), CAP_SETFCAP))
return -EPERM;
return 0;
}
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
- !capable(CAP_SYS_ADMIN))
+ !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
@@ -647,14 +647,14 @@ int cap_inode_setxattr(struct dentry *dentry, const char *name,
int cap_inode_removexattr(struct dentry *dentry, const char *name)
{
if (!strcmp(name, XATTR_NAME_CAPS)) {
- if (!capable(CAP_SETFCAP))
+ if (!ns_capable(current_user_ns(), CAP_SETFCAP))
return -EPERM;
return 0;
}
if (!strncmp(name, XATTR_SECURITY_PREFIX,
sizeof(XATTR_SECURITY_PREFIX) - 1) &&
- !capable(CAP_SYS_ADMIN))
+ !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
return 0;
}
--
1.8.5.3
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list