Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> writes: > If you don't care about the ownership of the files, and read only is > acceptable, and you still don't want to give these executables > capabilities in the initial user namespace. What you can do is > make everything owned by some non-zero uid including the security > capability. Call this non-zero uid image-root. > > When the container starts it creates two nested user namespaces first > with image-root mapped to 0. Then with the containers choice of uid > mapped to 0 image-root unmapped. This will ensure the capability > attributes work for all containers that share that root image. And it > ensures the file are read-only from the container. > > So I don't think there is ever a case where we would share a filesystem > image where we would need to set multiple security attributes on a file. Neat idea. In fact, you can take it a step further and still have the files be owned by valid uids in the containers. The parent ns just needs to have its *root* map to a common kuid not mapped into the child namespaces, but the files can be owned by another kuid which *is* mapped into the child containers. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
