Comment 12 for bug 1576341
Revision history for this message
| Serge Hallyn (serge-hallyn) wrote Re: [Bug 1576341] Re: fails in lxd container | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Quoting Martin Pitt (<email address hidden>):
> So would a namespace aware check for CAP_SYS_AUDIT say "no" then? (The
> audit subsystem isn't namespace aware right now). How would such a check
> look like in userspace?
I suppose a namespace aware check for CAP_SYS_AUDIT would look like an
fcntl or something funky against an nsfs inode for a user namespace.
Going from an instantiated or abstract object (like an fd, a pathname,
a process id) to the relevant nsfs inode would be interesting. I.e.
if one day we allow unpriv users to mknod /dev/null, then a check
for CAP_MKNOD against /dev/null might return true, while a check for
CAP_MKNOD against /dev/sda might return false.
This is interesting, but not likely to be ever implemented :)