On Wed, Jul 31, 2013 at 08:25:23AM -0500, Ben Myers wrote:
> On Wed, Jul 31, 2013 at 10:21:19AM +1000, Dave Chinner wrote:
> > On Tue, Jul 30, 2013 at 06:40:21PM -0500, Ben Myers wrote:
> > > On Mon, Jul 29, 2013 at 11:07:09PM -0400, Dwight Engen wrote:
> > > > >From e6a9ee0cfa0ed40484f66bc1726dc19de36038b8 Mon Sep 17 00:00:00 2001
> > > > From: Dwight Engen <dwight.engen@xxxxxxxxxx>
> > > > Date: Tue, 2 Jul 2013 09:52:54 -0400
> > > > Subject: [PATCH 7/7] enable building user namespace with xfs
> > > >
> > > > Signed-off-by: Dwight Engen <dwight.engen@xxxxxxxxxx>
> > >
> > > Was there a patch running around to limit bulkstat to init_user_ns? Any
> > > other
> > > items that needed to be addressed before applying this patch?
> > Bulkstat has a capable(CAP_SYS_ADMIN) check and therefore can only be
> > executed in the init name space. Similarly, all the open-by-handle
> > interfaces have the same capable() checks so they can only be
> > executed int he init name space, too.
> Gah. I was under the impression that you could have a process with
> CAP_SYS_ADMIN in a namespace other than init_user_ns.
Ben, until about a week and a half ago I was also working under that
same understanding as you. So don't feel bad about not knowing
about this basic, fundamental rule because it is completely
undocumented and it's not obvious to anyone reading the code until
someone points it out....