diff options
| author | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-04-13 15:41:10 +0200 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2018-04-13 21:23:28 +0200 |
| commit | 7b45f4b2ad5238ffef5fbbc06629e47bd89ab7b0 (patch) | |
| tree | 4255797c5f286385c0ae296e850728fcf36af56a /man7 | |
| parent | 7da0c87a781c352555862eeb2b36efa3a0cb4881 (diff) | |
| download | man-pages-7b45f4b2ad5238ffef5fbbc06629e47bd89ab7b0.tar.gz | |
capabilities.7: Explain rules that determine version of security.capability xattr
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man7')
| -rw-r--r-- | man7/capabilities.7 | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 index ce4bce6c46..3ceb5b51df 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -967,6 +967,44 @@ In addition, the root user ID of namespace is encoded in the extended attribute. (A namespace's root user ID is the value that user ID 0 inside that namespace maps to in the initial user namespace.) +.IP +Starting with Linux 4.14, a +.BR VFS_CAP_REVISION_3 +.I security.capability +extended attribute is automatically created as (or converted to) +a version 3 attribute if both of the following are true: +.RS +.IP (1) 4 +The thread writing the attribute resides in a noninitial namespace. +(More precisely: the thread resides in a user namespace other +than the one from which the underlying filesystem was mounted.) +.IP (2) +The thread has the +.BR CAP_SETFCAP +capability over the file inode, +meaning that (a) the thread has the +.B CAP_SETFCAP +capability in its own user namespace; +and (b) the UID and GID of the file inode have mappings in +the writer's user namespace. +.RE +.IP +When a +.BR VFS_CAP_REVISION_3 +.I security.capability +extended attribute is created, the root user ID of the creating thread's +user namespace is saved in the extended attribute. +.IP +Creating a +.I security.capability +extended attribute from a privileged +.RB ( CAP_SETFCAP ) +thread that resides in the +namespace where the the underlying filesystem was mounted +(this normally means the initial user namespace) +automatically results in a version 2 +.RB ( VFS_CAP_REVISION_3 ) +attribute. .\" .SS Transformation of capabilities during execve() .PP |