"Serge E. Hallyn" <serge@xxxxxxxxxx> writes: > Quoting Michael Kerrisk (man-pages) (mtk.manpages@xxxxxxxxx): >> Hi Eric, >> >> On 07/25/2016 03:18 PM, Eric W. Biederman wrote: >> >"Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> writes: >> > >> >>Hi Andrey, >> >> >> >>On 07/22/2016 08:25 PM, Andrey Vagin wrote: >> >>Perhaps add "and the caller does not have CAP_SYS_ADMIN" in the initial >> >>user namespace"? >> > >> >Having looked at that bit of code I don't think capabilities really >> >have a role to play. >> >> Yes, I caught up with that now. I await to see how this plays out >> in the next patch version. > > Thanks - that had caught my eye but I hadn't had time to look into the > justification for this. Hiding this kind of thing indeed seems wrong to > me, unless there is a really good justification for it, i.e. a way > to use that info in an exploit. To avoid breaking checkpoint/restart we need to limit information to the namespaces the caller is a member of for the user and pid namespaces. This roughly duplicates the parentage checks in ns_capable. Conceptually this is the same as limiting .. in a chroot environment. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html