Re: [PATCH v2] Introduce v3 namespaced file capabilities

"Serge E. Hallyn" writes: [snip] > A patch to linux-test-project adding a new set of tests for this > functionality is in the nsfscaps branch at github.com/hallyn/ltp > > Changelog: >Nov 02 2016: fix invalid check at refuse_fcap_overwrite() >Nov 07 2016: convert rootid

Re: [PATCH v2] Introduce v3 namespaced file capabilities

"Serge E. Hallyn" writes: [snip] > A patch to linux-test-project adding a new set of tests for this > functionality is in the nsfscaps branch at github.com/hallyn/ltp > > Changelog: >Nov 02 2016: fix invalid check at refuse_fcap_overwrite() >Nov 07 2016: convert rootid from and to fs

[PATCH v2] Introduce v3 namespaced file capabilities

Root in a non-initial user ns cannot be trusted to write a traditional security.capability xattr. If it were allowed to do so, then any unprivileged user on the host could map his own uid to root in a private namespace, write the xattr, and execute the file with privilege on the host. However

[PATCH v2] Introduce v3 namespaced file capabilities

Root in a non-initial user ns cannot be trusted to write a traditional security.capability xattr. If it were allowed to do so, then any unprivileged user on the host could map his own uid to root in a private namespace, write the xattr, and execute the file with privilege on the host. However