Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option

On Thu, Jul 23, 2020 at 09:47:33AM -0400, Vivek Goyal wrote: > On Thu, Jul 23, 2020 at 01:28:50PM +0100, Stefan Hajnoczi wrote: > > On Wed, Jul 22, 2020 at 06:58:20PM +0100, Dr. David Alan Gilbert wrote: > > > * Stefan Hajnoczi (stefa...@redhat.com) wrote: > > > > virtiofsd cannot run in an

Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option

On Thu, Jul 23, 2020 at 01:28:50PM +0100, Stefan Hajnoczi wrote: > On Wed, Jul 22, 2020 at 06:58:20PM +0100, Dr. David Alan Gilbert wrote: > > * Stefan Hajnoczi (stefa...@redhat.com) wrote: > > > virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN > > > is required to create

Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option

On Wed, Jul 22, 2020 at 02:17:10PM -0400, Vivek Goyal wrote: > On Wed, Jul 22, 2020 at 02:02:05PM +0100, Stefan Hajnoczi wrote: > > virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN > > is required to create namespaces. > > > > Introduce a weaker sandbox that is sufficient

Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option

On Wed, Jul 22, 2020 at 02:02:05PM +0100, Stefan Hajnoczi wrote: > virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN > is required to create namespaces. > > Introduce a weaker sandbox that is sufficient in container environments > because the container runtime already sets