Quoting Huang Qiang (h.huangqiang@xxxxxxxxxx): > From: Zhao Hongjiang <zhaohongjiang@xxxxxxxxxx> > > HI: Hi, > When I use an unprivileged user exec the following command: > # nsexec -cUn /bin/bash > to create a container with new user_ns and net_ns. > > Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem", > the result is Permission Denied which we hope it should be allowed. > > It is because of capable(CAP_NET_ADMIN). > > Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the > tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is > that this must in the init_user_ns, so the result is the network administrator > can't have the same access as root. > > Use nsown_capable(...) the problem is solved. > > PS: I changed lxc almostly like what serge done, then use an unprivileged user Which time? :) FWIW the closest I came to a working patch to lxc to work with user namespaces was https://code.launchpad.net/~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns but, of course, the missing ns_capable conversions prevented that from being usable yet. > to start a container, several Permission Denied occur(such as mount), all this > is caused by capabale(...), when i use nsown_capable(...) the container is > running like everything is ok. > Is this capabale() methed is obsolete? If so, i'll send a new patch to solve > all this problems. The intent is to switch many of them over, but we don't want to start handing out capabilities until we're sure the core conversion is complete. Eric still has a large patchset which hasn't been merged upstream, which I'd like to see before this patch or the others you are talking about. (See http://git.kernel.org/?p=linux/kernel/git/ebiederm/user-namespace.git;a=summary and http://kernel.ubuntu.com/git?p=serge/quantal-userns.git;a=summary for patches yet to be merged) But certainly if you want to start queueing such patches in your own git tree to experiment with exactly what is needed for unprivileged containers that would be very interesting. I'll be overrun and then missing for a bit, but in 2 or 3 weeks I may rebuild and then flesh out my own tree with new patches. Would be happy to look at anything you come up with in the meantime, and work with you then. > Signed-off-by: Zhao Hongjiang<zhaohongjiang@xxxxxxxxxx> > Signed-off-by: Huang Qiang <h.huangqiang@xxxxxxxxxx> > --- > net/sysctl_net.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/sysctl_net.c b/net/sysctl_net.c > index c3e65ae..ee31777 100644 > --- a/net/sysctl_net.c > +++ b/net/sysctl_net.c > @@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root, > struct ctl_table *table) > { > /* Allow network administrator to have same access as root. */ > - if (capable(CAP_NET_ADMIN)) { > + if (nsown_capable(CAP_NET_ADMIN)) { > int mode = (table->mode >> 6) & 7; > return (mode << 6) | (mode << 3) | mode; > } > -- > 1.7.1 > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
