On Mon, Mar 10, 2025 at 02:47:53PM +0000, Parav Pandit wrote: > Hi, > > > From: Serge E. Hallyn <serge@xxxxxxxxxx> > > Sent: Monday, March 10, 2025 7:01 PM > > > > On Sat, Mar 08, 2025 at 08:06:02PM +0200, Parav Pandit wrote: > > > A process running in a non-init user namespace possesses the > > > CAP_NET_RAW capability. However, the patch cited in the fixes tag > > > checks the capability in the default init user namespace. > > > Because of this, when the process was started by Podman in a > > > non-default user namespace, the flow creation failed. > > > > > > Fix this issue by checking the CAP_NET_RAW networking capability in > > > the owner user namespace that created the network namespace. > > > > Hi, > > > > you say > > > > > Fix this issue by checking the CAP_NET_RAW networking capability > in the > > owner user namespace that created the network namespace. > > > > But in fact you are checking the CAP_NET_RAW against the user's network > > namespace. > I didn't understand your comment. > The fix takes the current process's network namespace by referring to current->nsproxy->net_ns. > Each net ns has its owning user namespace who has created it. > So the patch is checking caps in the such user namespace. > > Can you please elaborate? It looks like it got straightened out later with Eric's reply. Please let me know if that's not the case. -serge
