Quoting Eric W. Biederman (ebied...@xmission.com):
> "Serge E. Hallyn" writes:
>
> > Quoting Eric W. Biederman (ebied...@xmission.com):
> >> > @@ -657,8 +898,11 @@ int cap_inode_setxattr(struct dentry *dentry, const
> >> > char *name,
> >> > const void *value, size_t size
"Serge E. Hallyn" writes:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>> > @@ -657,8 +898,11 @@ int cap_inode_setxattr(struct dentry *dentry, const
>> > char *name,
>> > const void *value, size_t size, int flags)
>> > {
>> >if (!strcmp(name, XATTR_NAME_CAPS)) {
>>
Quoting Eric W. Biederman (ebied...@xmission.com):
> > @@ -657,8 +898,11 @@ int cap_inode_setxattr(struct dentry *dentry, const
> > char *name,
> >const void *value, size_t size, int flags)
> > {
> > if (!strcmp(name, XATTR_NAME_CAPS)) {
> > - if (!capable(CAP_SE
"Serge E. Hallyn" writes:
> Root in a user ns cannot be trusted to write a traditional
> security.capability xattr. If it were allowed to do so, then any
> unprivileged user on the host could map his own uid to root in a
> namespace, write the xattr, and execute the file with privilege on the
>
Root in a user ns cannot be trusted to write a traditional
security.capability xattr. If it were allowed to do so, then any
unprivileged user on the host could map his own uid to root in a
namespace, write the xattr, and execute the file with privilege on the
host.
This patch introduces v3 of the
5 matches
Mail list logo
