Quoting Nikola Kotur (kotn...@gmail.com): > On Tue, 19 Nov 2013 15:48:36 -0600 > Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > Quoting Nikola Kotur (kotn...@gmail.com): > > > There are scenarios in which we want to execute process with > > > specific privileges elevated. > > > > thanks for submitting this patch. No objection overall, however > > there are a few existing places where elevated_privileges is set to 1 > > which you are not updating. > > Thanks for the review and for catching this. I will update the patch > and resend it (along with a signed-off-by). > > > I also notice that currently it seems broken as the manpage says that > > -R should imply -e, but i don't see where that is enforced any more. > > Actually, it's not -R that implies -e, it's the -s option (specifying > which namespaces to attach to).
Well huh. I was sure I saw a comment about -R implying -e, but I don't see it now, so that's fine :) > And if you have a bit of time I'd appreciate if you could explain why > should we elevate privileges for attaching to specific namespace? Seems > to me that it is unrelated, since I should be able to enter NETWORK ns TBH I'm not sure. It was like that since the start of the -s feature, which is commit e13eeea2db3743bf8d3fe2833e069a80e2c4102c, but I don't see the rationale for it in the git history or mailing list. Christian? > while not elevating cgroup, for example? I haven't thought it through, but I could imagine it being a problem if attach tries to enter you into the container's LSM domain while you're only in its ipc namespace. You might not (with a strict selinux policy) be able to read any host files, and therefore execute anything. But I suspect there's a simpler rationale. -serge ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
