[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.20.1707181659030.5209@namei.org>
Date: Tue, 18 Jul 2017 17:01:36 +1000 (AEST)
From: James Morris <jmorris@...ei.org>
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>
cc: "Theodore Ts'o" <tytso@....edu>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
containers@...ts.linux-foundation.org, lkp@...org,
linux-kernel@...r.kernel.org, zohar@...ux.vnet.ibm.com,
tycho@...ker.com, James.Bottomley@...senPartnership.com,
vgoyal@...hat.com, christian.brauner@...lbox.org,
amir73il@...il.com, linux-security-module@...r.kernel.org,
casey@...aufler-ca.com
Subject: Re: [PATCH v2] xattr: Enable security.capability in user
namespaces
On Thu, 13 Jul 2017, Stefan Berger wrote:
> A file shared by 2 containers, one mapping root to uid=1000, the other mapping
> root to uid=2000, will show these two xattrs on the host (init_user_ns) once
> these containers set xattrs on that file.
I may be missing something here, but what happens when say the uid=2000
container and associated user is deleted from the system, then another is
created with the same uid?
Won't this mean that you have unexpected capabilities turning up in the
new container?
--
James Morris
<jmorris@...ei.org>
Powered by blists - more mailing lists