[Vserver] clone(..., CLONE_NEWNS) -> -EPERM with 2.6.22.1-vs2.2.0.3-rc1

From: Enrico Scholz <enrico.scholz_at_sigma-chemnitz.de>
Date: Tue 24 Jul 2007 - 14:51:53 BST
Message-ID: <lyps2h29l2.fsf@ensc-pc.intern.sigma-chemnitz.de>

Hi,

since 2.6.22-1-vs2.2.0.3-rc1, clone(..., CLONE_NEWNS) fails with
-EPERM. Previous kernels allowed this when the VXC_SECURE_MOUNT
ccap was set:

With 2.6.21.5-vs2.2.0-rc3:

| # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \
| vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh
| New security context is 49157
| sh-3.1#

With 2.6.22-1-vs2.2.0.3-rc1:

| # vcontext --create -- vattribute --secure --ccap VXC_SECURE_MOUNT -- \
| vcontext --migrate-self --endsetup -- vnamespace -n /bin/sh
| New security context is 49163
| vnamespace: clone(): Operation not permitted

strace before 'vnamespace' shows

| clone(child_stack=0, flags=CLONE_VFORK|CLONE_NEWNS|SIGCHLD) = -1 EPERM (Operation not permitted)

Setting all ccaps does not help.

Enrico
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Fri Aug 3 09:06:22 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 03 Aug 2007 - 09:06:27 BST by hypermail 2.1.8