File capabilities in user namespaces

Session information has not yet been published for this event.


One Line Summary

Update on file capabilities in containers


File capabilities are not namespaced. Therefore, at the moment root in a user namespace cannot be allowed to assign capabilities to a file, as that would allow an unprivileged user on the host to elevate privileges.

However, supporting file capabilities everywhere is very desirable as it allows userspace to avoid having to support multiple ways to gain/drop privilege.

There have been a few proposed patches to support namespacing file capabilities. This talk will higlight the latest developments in completing this feature.