Yes, no need to set init_uid in this situation (unprivileged container + setcap), lxc.network.type = none --> CLONE_NEWNET is not set when clone --> when create raw socket, kernel cap_capable(), ns != cred->user_ns --> cap_raised() is not checked --> unprivileged testapp get EPERM error Does cap_capable() need to be patched for this case?
On Sat, Dec 16, 2017 at 1:07 AM Serge E. Hallyn <[email protected]> wrote: > Quoting Philip ([email protected]): > > Please ignore step 4, lxc.id_map only allow ONE uid/gid, so > > lxc_switch_uid_gid will fail > > I'm not sure what you mean by that, but your id mapping makes > uid 2000 on the host map to 0 in the container, and that is the > only uid in the container. > > So lxc.init_uid would need to be 0 - the id in the container. > > > On Fri, Dec 15, 2017 at 10:17 AM Philip <[email protected]> wrote: > > > > > Hi, > > > > > > I want to use unprivileged container + setcap to set limited > capabilities, > > > but can not success, here is my test (lxc-1.0.8 and lxc-2.0.8): > > > > > > testapp: > > > int ret = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); > > > fprintf(stderr, "socket ret %d, %s\n", ret, strerror(errno)); > > > > > > 1. add net_raw capability > > > setcap cap_net_admin,cap_net_raw=eip ./testapp > > > > > > 2. switch to uid 2000, execute testapp > > > $ ./testapp > > > socket ret 3, Success > > > > > > 3. use unprivileged container to run testapp > > > lxc config: > > > lxc.network.type = none > > > lxc.id_map = u 0 2000 1 > > > lxc.id_map = g 0 2000 1 > > > > > > sudo lxc-execute -n testapp -f config -P /files/testapp > > > .... > > > socket ret -1, Operation not permitted > > > > > > 4. using lxc-2.0.8, add init_uid/init_gid > > > lxc.init_uid = 2000 > > > lxc.init_gid = 2000 > > > > > > lxc-execute: utils.c: lxc_switch_uid_gid: 2069 Invalid argument - > Failed > > > to switch to gid 2000. > > > > > > Can anyone help, what is going wrong? > > > > > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
