Namespaced file capabilities update

This proposal has been rejected.

*

One Line Summary

Why can't containers use file capabilities yet

Abstract

Root in unprivileged containers is not allowed to write file capabilities for files over which it is privileged. This means that programs wanting to run in containers cannot rely on file capabilities being available as a method of starting with privilege. Instead they must be able to fall back on being setuid-root.

For some time we’ve worked toward being able to provide this functionality. This will be a brief update on the progress of that work.

Speaker