LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.
Cc: stable-4.0 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
projects / thirdparty / lxc.git / commit
