Re: [PATCH v2] xattr: Enable security.capability in user namespaces
From: Stefan Berger
Date: Tue Jul 18 2017 - 08:12:42 EST
On 07/18/2017 03:01 AM, James Morris wrote:
On Thu, 13 Jul 2017, Stefan Berger wrote:
A file shared by 2 containers, one mapping root to uid=1000, the other mapping
root to uid=2000, will show these two xattrs on the host (init_user_ns) once
these containers set xattrs on that file.
I may be missing something here, but what happens when say the uid=2000
container and associated user is deleted from the system, then another is
created with the same uid?
Won't this mean that you have unexpected capabilities turning up in the
new container?
Yes, that's right. I don't know any solution for that. We would have to
walk the filesystems and find all 'stale' xattrs with such a uid. This
is independent of whether the uid is encoded on the name side, as in
this patch, or on the value side, as in Serge's original proposal. And
uids of a mapped container root user don't necessarily have to have an
account on the host so that an account deletion could trigger that.
Stefan