On Wed, 2013-03-20 at 13:36 -0500, Serge Hallyn wrote: > Quoting Aristeu Rozanski (arozansk@xxxxxxxxxx): > > This is a bit fuzzy to me, perhaps due I'm not fully understanding > > userns implementation yet, so bear with me: > > I thought of changing so userns would not grant CAP_AUDIT_WRITE and > > CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require > > Seems like CAP_AUDIT_WRITE should be targeted against the > skb->netns->userns. Then CAP_AUDIT_WRITE can be treated like any other > capability. Last I knew (long time ago) you had to be in init_user_ns > to talk audit, but that's ok - this would just do the right thing in > any case. kauditd should be considered as existing in the init user namespace. So I'd think we'd want to check if the process had CAP_AUDIT_WRITE in the init user namespace and if so, allow it to send messages. Who care what *ns the process exists in. If it has it in the init namespace, go ahead. Thus the process that created the container would need CAP_AUDIT_WRITE in the init namespace for this to all work, right? /me also gets so confused about what caps mean in the userns world. (/me has larger issues with the ns concept as a whole, but that boat sailed years and years ago) _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
