-
Welcome
-
Subscribe to
File capabilities in user namespaces
Session information has not yet been published for this event.
One Line Summary
Update on file capabilities in containers
Abstract
File capabilities are not namespaced. Therefore, at the moment root in a user namespace cannot be allowed to assign capabilities to a file, as that would allow an unprivileged user on the host to elevate privileges.
However, supporting file capabilities everywhere is very desirable as it allows userspace to avoid having to support multiple ways to gain/drop privilege.
There have been a few proposed patches to support namespacing file capabilities. This talk will higlight the latest developments in completing this feature.
Speaker
-
Biography
I work on the virtualization stack for Ubuntu and am one of the maintainers for lxc.