[lxc/lxc] 91ad9b: conf: handle kernels with CAP_SETFCAP
1 view
Skip to first unread message
Christian Brauner
May 6, 2021, 12:50:37 PM5/6/21
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/stable-4.0
Home: https://github.com/lxc/lxc
Commit: 91ad9b94bcd964adfbaa8d84d8f39304d39835d0
https://github.com/lxc/lxc/commit/91ad9b94bcd964adfbaa8d84d8f39304d39835d0
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2021-05-06 (Thu, 06 May 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: handle kernels with CAP_SETFCAP
LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.
Cc: stable-4.0
Signed-off-by: Christian Brauner <christia...@ubuntu.com>
Home: https://github.com/lxc/lxc
Commit: 91ad9b94bcd964adfbaa8d84d8f39304d39835d0
https://github.com/lxc/lxc/commit/91ad9b94bcd964adfbaa8d84d8f39304d39835d0
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2021-05-06 (Thu, 06 May 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: handle kernels with CAP_SETFCAP
LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.
Cc: stable-4.0
Signed-off-by: Christian Brauner <christia...@ubuntu.com>
Reply all
Reply to author
Forward
0 new messages