[manpages PATCH] capabilities.7: describe namespaced file capabilities

Serge E. Hallyn serge at hallyn.com
Sun Apr 15 19:22:06 UTC 2018

Quoting Michael Kerrisk (man-pages) (mtk.manpages at gmail.com):
> On 01/16/2018 06:38 PM, Serge E. Hallyn wrote:
> > Quoting Jann Horn (jannh at google.com):
> >> On Tue, Jan 9, 2018 at 7:52 PM, Serge E. Hallyn <serge at hallyn.com> wrote:
> [...]
> >>> +A VFS_CAP_REVISION_3 file capability will take effect only when run in a user namespace
> >>> +whose UID 0 maps to the saved "nsroot", or a descendant of such a namespace.
> >>> +.PP
> >>> +Users with the required privilege may use
> >>> +.BR setxattr(2)
> >>> +to request either a VFS_CAP_REVISION_2 or VFS_CAP_REVISION_3 write.
> >>> +The kernel will automatically convert a VFS_CAP_REVISION_2 to a
> >>> +VFS_CAP_REVISION_3 extended attribute with the "nsroot"
> >>> +set to the root user in the writer's user namespace, or, if a VFS_CAP_REVISION_3
> >>> +extended attribute is specified, then the kernel will map the
> >>> +specified root user ID (which must be a valid user ID mapped in the caller's
> >>> +user namespace) into the initial user namespace.
> >>
> >> Really, "into the initial user namespace"? That may be true for the
> >> kernel-internal representation, but the on-disk representation is the
> >> mapping into the user namespace that contains the mount namespace into
> >> which the file system was mounted, right?
> > 
> > Ah, yes, it is.
> > 
> >>  This would become observable
> >> when a file system is mounted in a different namespace than before, or
> >> when working with FUSE in a namespace.
> > 
> > Yes it would.
> > 
> > Michael, you said you were reworking it, do you mind working this into
> > it as well?
> So, I must confess that I don't really understand this piece of the
> conversation--neither Jann's comments nor Serge's response (Serge, are
> you saying Jann is right or wrong in his comments?). Perhaps this can

He's right.  The point is that if a filesystem is mounted by a user in
a non-init user namespace, then the kernel will map the specified root user ID
into sb->sb_user_ns, not &init_user_ns.

> be clarified as a response to the man page text in the other mail I
> just sent?

Yes, I'll try to do that.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list