Quoting Stephan Sachse (ste.sachse@xxxxxxxxx): > for me there is no valid reason why a container is not allowed to set > file capabilities. (For the sake of the libvir-list, I replied to this on the lxc-devel@ list with a proposal that should work; but this particular patch is not safe, as nothing would stop an unprivileged user from mapping 0 to his uid in a new namespace, adding CAP_SYS_ADMIN, getting back to the init namespace, and running it with privilege. Adding a new capability format which adds the kuid_t of the user_ns root would solve this. Thanks Stephan for pushing on this.) -serge -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list