| |||||||||||||
Namespaces in operation - root privilegesNamespaces in operation - root privilegesPosted Jan 9, 2013 0:57 UTC (Wed) by hallyn (subscriber, #22558)In reply to: Namespaces in operation - root privileges by giraffedata Parent article: Namespaces in operation, part 1: namespaces overview
> So how does this work? Does the uid name space feature really allow a process to hold a capability whose power is somehow limited to a subset of the system?
Yes. In the past, we simply had the 'capable()' call, which checked whether the current task had, say, CAP_SYS_ADMIN. Now capabilities are targeted toward a particular user namespace, and the function to check for that ns_capable(). Importantly, any existing unconverted capable() call becomes a check targeted at the initial user namespace. Therefore if we haven't specifically said "that capability is ok to be allowed in a non-init userns", then it won't be allowed. Then, resources (say a network interface) belong to a namespace (a network ns, for the network interface), and each network namespace is owned by a user namespace, namely the userns from which the netns was created. So we to check CAP_NET_ADMIN for an action on a nic, we can check for permission to the user namespace which owns the netns which owns the nic.
(If you're asking more generally about the relation of root to capabilities, that has not changed - see the capabilities(7) man page, specifically searching for 'secbit'.)
(Log in to post comments)
|
|||||||||||||