Re: [PATCH v2] xattr: Enable security.capability in user namespaces

From: Serge E. Hallyn
Date: Thu Jul 13 2017 - 17:17:57 EST

Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> writes:
> If you don't care about the ownership of the files, and read only is
> acceptable, and you still don't want to give these executables
> capabilities in the initial user namespace. What you can do is
> make everything owned by some non-zero uid including the security
> capability. Call this non-zero uid image-root.
> When the container starts it creates two nested user namespaces first
> with image-root mapped to 0. Then with the containers choice of uid
> mapped to 0 image-root unmapped. This will ensure the capability
> attributes work for all containers that share that root image. And it
> ensures the file are read-only from the container.
> So I don't think there is ever a case where we would share a filesystem
> image where we would need to set multiple security attributes on a file.

Neat idea. In fact, you can take it a step further and still have the
files be owned by valid uids in the containers. The parent ns just
needs to have its *root* map to a common kuid not mapped into the child
namespaces, but the files can be owned by another kuid which *is* mapped
into the child containers.