On 01/16/2018 06:38 PM, Serge E. Hallyn wrote: > Quoting Jann Horn (jannh@xxxxxxxxxx): >> On Tue, Jan 9, 2018 at 7:52 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote: [...] >>> +A VFS_CAP_REVISION_3 file capability will take effect only when run in a user namespace >>> +whose UID 0 maps to the saved "nsroot", or a descendant of such a namespace. >>> +.PP >>> +Users with the required privilege may use >>> +.BR setxattr(2) >>> +to request either a VFS_CAP_REVISION_2 or VFS_CAP_REVISION_3 write. >>> +The kernel will automatically convert a VFS_CAP_REVISION_2 to a >>> +VFS_CAP_REVISION_3 extended attribute with the "nsroot" >>> +set to the root user in the writer's user namespace, or, if a VFS_CAP_REVISION_3 >>> +extended attribute is specified, then the kernel will map the >>> +specified root user ID (which must be a valid user ID mapped in the caller's >>> +user namespace) into the initial user namespace. >> >> Really, "into the initial user namespace"? That may be true for the >> kernel-internal representation, but the on-disk representation is the >> mapping into the user namespace that contains the mount namespace into >> which the file system was mounted, right? > > Ah, yes, it is. > >> This would become observable >> when a file system is mounted in a different namespace than before, or >> when working with FUSE in a namespace. > > Yes it would. > > Michael, you said you were reworking it, do you mind working this into > it as well? So, I must confess that I don't really understand this piece of the conversation--neither Jann's comments nor Serge's response (Serge, are you saying Jann is right or wrong in his comments?). Perhaps this can be clarified as a response to the man page text in the other mail I just sent? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html