On 04/29/2014 06:49 AM, Marian Marinov wrote: > Hello, > when using user namespaces I found a bug in the capability checks done > by ioctl. > > If someone tries to use chattr +i while in a different user namespace it > will get the following: > > ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -1 EPERM (Operation not > permitted) NAK. This is correct: you don't want users to be able to unshare(CLONE_NEWUSER) and then start playing with the immutable bit. --Andy _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
