215812 – Document namespace PID interpretation with respect to cap_get_pid()

Bug 215812 - Document namespace PID interpretation with respect to cap_get_pid()

Summary: Document namespace PID interpretation with respect to cap_get_pid()

Status:	RESOLVED DOCUMENTED

Alias:	None

Product:	Tools
Classification:	Unclassified
Component:	libcap (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Andrew G. Morgan

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-06 16:44 UTC by Andrew G. Morgan
Modified:	2022-04-29 04:43 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	n/a
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrew G. Morgan 2022-04-06 16:44:58 UTC

I've received a request to clarify the semantics of the pid argument to cap_get_pid() when invoked from within a namespace. I'm filing this bug to make sure I do this.

My belief at present is that within the namespace, the caller can only see the pid view visible within that namespace.

Comment 1 Andrew G. Morgan 2022-04-07 14:30:26 UTC

I chatted with Serge Hallyn and he confirms that the pid argument is interpreted "relative to the caller's pid_ns".

Comment 2 Andrew G. Morgan 2022-04-10 00:06:54 UTC

Fixed via:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=ceaa591b012610d3fe402d33e7d7ca14716cf965

Comment 3 Andrew G. Morgan 2022-04-19 02:30:33 UTC

This man page needs some discussion of the returned capabilities too, in the case of querying a PID inside some other namespace.

Comment 4 Andrew G. Morgan 2022-04-29 04:43:10 UTC

Fixed with:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=9a9579181897a62dc107b121f139a319d7e297fa

Note You need to log in before you can comment on or make changes to this bug.