On Sun, Oct 13, 2024 at 06:34:18PM +0200, Amir Goldstein wrote: > On Fri, May 24, 2024 at 2:35 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > > > On Fri, May 24, 2024 at 1:19 PM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > > > > A current limitation of open_by_handle_at() is that it's currently not possible > > > to use it from within containers at all because we require CAP_DAC_READ_SEARCH > > > in the initial namespace. That's unfortunate because there are scenarios where > > > using open_by_handle_at() from within containers. > > > > > > Two examples: > > > > > > (1) cgroupfs allows to encode cgroups to file handles and reopen them with > > > open_by_handle_at(). > > > (2) Fanotify allows placing filesystem watches they currently aren't usable in > > > containers because the returned file handles cannot be used. > > > > > Christian, > > Follow up question: > Now that open_by_handle_at(2) is supported from non-root userns, > What about this old patch to allow sb/mount watches from non-root userns? > https://lore.kernel.org/linux-fsdevel/20230416060722.1912831-1-amir73il@xxxxxxxxx/ > > Is it useful for any of your use cases? > Should I push it forward? Dammit, I answered that message already yesterday but somehow it didn't get sent or lost in some other way. I personally don't have a use-case for it but the systemd folks might and it would be best to just rope them in.
