]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2681861) | patch
namespace: always attach to user namespace first 1308/head
authorChristian Brauner <christian.brauner@canonical.com>
Sun, 20 Nov 2016 05:20:07 +0000 (06:20 +0100)
committerChristian Brauner <christian.brauner@canonical.com>
Sun, 20 Nov 2016 05:26:03 +0000 (06:26 +0100)
commit29ed9c13ac360aa5b053f935cee09ef62619ee20
tree2d40e5a9f424defdbc15c3e6e9338f0c8dd4d0c5tree
parent2681861894e7e64b5b740831c4e937db0b9a914acommit | diff
namespace: always attach to user namespace first

Move the user namespace at the first position in the array so that we always
attach to it first when iterating over the struct and using setns() to switch
namespaces. This especially affects lxc_attach(): Suppose you cloned a new user
namespace and mount namespace as an unprivileged user on the host and want to
setns() to the mount namespace. This requires you to attach to the user
namespace first otherwise the kernel will fail this check:

    if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
        !ns_capable(current_user_ns(), CAP_SYS_CHROOT) ||
        !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
     return -EPERM;

in

    linux/fs/namespace.c:mntns_install().

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
src/lxc/namespace.c diff | blob | blame | history
src/lxc/namespace.h diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git