Quoting Stefan Berger (stefanb@xxxxxxxxxxxxxxxxxx): > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> writes: > > > >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> > >>>My big question right now is can you implement Ted's suggested > >>>restriction. Only one security.foo or secuirty.foo@... attribute ? > >>We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. > >> > >>So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)? > >> > >The latter. > > That case would prevent a container user from overriding the xattr > on the host. Is that what we want? For limiting the number of xattrs Not really. If the file is owned by a uid mapped into the container, then the container root can chown the file which will clear the file capability, after which he can set a new one. If the file is not owned by a uid mapped into the container, then container root could not set a filecap anyway. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
