Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3)

On Mon, Apr 19, 2021 at 10:42:08PM -0500, Serge Hallyn wrote: > On Mon, Apr 19, 2021 at 06:09:11PM +0200, Christian Brauner wrote: > > On Mon, Apr 19, 2021 at 07:25:14AM -0500, Serge Hallyn wrote: > > > cap_setfcap is required to create file capabilities. > > > > > > Since 8db6c34f1dbc

Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3)

On Mon, Apr 19, 2021 at 06:09:11PM +0200, Christian Brauner wrote: > On Mon, Apr 19, 2021 at 07:25:14AM -0500, Serge Hallyn wrote: > > cap_setfcap is required to create file capabilities. > > > > Since 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), a > > process running as uid 0 but

Re: [PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3)

On Mon, Apr 19, 2021 at 07:25:14AM -0500, Serge Hallyn wrote: > cap_setfcap is required to create file capabilities. > > Since 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), a > process running as uid 0 but without cap_setfcap is able to work around > this as follows: unshare a new

[PATCH] capabilities: require CAP_SETFCAP to map uid 0 (v3.3)

cap_setfcap is required to create file capabilities. Since 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), a process running as uid 0 but without cap_setfcap is able to work around this as follows: unshare a new user namespace which maps parent uid 0 into the child namespace. While