[PATCH 1/1] RFC: taking a crack at targeted capabilities

Eric W. Biederman ebiederm at xmission.com
Wed Jan 6 12:43:41 PST 2010


"Serge E. Hallyn" <serue at us.ibm.com> writes:

> But that's only if fred has CAP_KILL in a user namespace which is
> ancestor to joe's process.  Only fred's processes in a child
> userns should have CAP_KILL.

Got it.  What I don't see in your implementation is how you can kill a
child that is in it's own user namespace if you don't have CAP_KILL.

>> Which matters because we can set the hostname through /proc/sys....
>
> Oh, right.  However, utsname doesn't have a creator, and we won't always
> want to use user namespaces to authorize.  For instance, for CAP_NET_ADMIN
> we'll want to compare the net_ns.  That's why I had the switch inside
> capable_to() based on ns type.

I disagree.  For CAP_NET_ADMIN we will want to do:
ns_capable(net->userns, CAP_NET_ADMIN);

Network namespaces do not have a hierarchy so I don't see how they
would be useful in this context.

When we add an unprivileged unshare it is trivial to capture either
the creator or at least the creators user namespace.  Giving us a
usernamespace to compare against.

Eric


More information about the Containers mailing list