call setns(2) (requires CAP_SYS_ADMIN in the target namespace);
--You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
A single-threaded process can join another user namespace with setns(2) if it has the CAP_SYS_ADMIN in that namespace;
A process reassociating itself with a user namespace must have the CAP_SYS_ADMIN capability in the target user namespace. Upon successfully joining a user namespace, a process is granted all capabilities in that namespace, regardless of its user and group IDs.
1. caps are placed on a process, not the namespace. operations/syscalls maybe namespaced others are not.
call setns(2) (requires CAP_SYS_ADMIN in the target namespace);
So, what does mean a documentation?
W dniu poniedziałek, 16 października 2017 20:55:44 UTC+2 użytkownik Michael Crosby napisał:
1. caps are placed on a process, not the namespace. operations/syscalls maybe namespaced others are not.2. reasoning about what? containers are as secure as their users make them to be. if you poke holes in the container by adding caps, sharing the host namespaces, etc then you will be performing operations on the host depending on what you configured.
On Mon, Oct 16, 2017 at 2:47 PM, <goci...@gmail.com> wrote:
Thanks, but please note that my question was another.--
W dniu poniedziałek, 16 października 2017 17:04:01 UTC+2 użytkownik Michael Crosby napisał:Its not recommend to use either. I in the context of `privileged`, its encouraging you to not use the blanket `--privileged` flag that enables everything but the user should find the specific set of capabilities that their container requires to perform the required action.For example if you have an application that needs to modify iptables or routes then you would not set SYS_ADMIN but NET_ADMIN to only enable privileged network operations.There is more behind the privileged flag than just one capability(apparmor, seccomp, etc...).
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-------------------------------------------Michael Crosby@crosbymichael
--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
1. caps are placed on a process, not the namespace. operations/syscalls maybe namespaced others are not.
A process reassociating itself with a user namespace must have the
CAP_SYS_ADMIN capability in the target user namespace. Upon
successfully joining a user namespace, a process is granted all
capabilities in that namespace, regardless of its user and group IDs.
So, if we use user namespace the process from container cannot join to usernamespace. But, can it join to other namespaces, like filesystem/PID namespaces?