On Mon, Dec 18, 2017 at 01:28:44AM +0000, Philip wrote: > Yes, no need to set init_uid in this situation (unprivileged container + > setcap), > lxc.network.type = none --> CLONE_NEWNET is not set when clone --> when > create raw socket, kernel cap_capable(), ns != cred->user_ns --> > cap_raised() is not checked --> unprivileged testapp get EPERM error > Does cap_capable() need to be patched for this case?
... if you're suggesting patching cap_capable() so that you get CAP_NET_ADMIN or CAP_NET_RAW in that case, that's a bad idea, since then any unpriv process can just clone a new userns to gain privilege against the host's network ns. _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users