Comment 20 for bug 1654676

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

As i said,

"I've convinced myself on irc that there is a legitimate case where this would fail, which current lxc would not support"

It's a tradeoff in my mind. Remembering that lxc-user-nic runs as setuid-root, ignoring any unexpected failure is dangerous. That was the real cause of the sendmail-capabilities bug.

Actually, now I've just convinced myself that the above case is *not* legitimate.

If root is not able to setns() back to the original netns, then it also would not have been able to create a network device in that namespace, or attach it to the bridge in that namespace.

So there is, AFAICS, no legitimate case where setns(oldfd, 0) would fail, but execution should continue as normal.