Impact: Support for using filesystem capabilities was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities.
Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4.
Test Case: Test use of fscaps within a lxd container.
Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was not difficult, so regression potential is low.
SRU Justification
Impact: Support for using filesystem capabilities was added upstream in Linux 4.14. This is a useful feature that allows unprivileged containers to set fscaps that are valid only in user namespaces where a specific kuid is mapped to root. This allows for e.g. support for Linux distros within lxd which make use of filesystem capabilities.
Fix: Backport upstream commit 8db6c34f1dbc "Introduce v3 namespaced file capabilities" and any subsequent fixes to xenial 4.4.
Test Case: Test use of fscaps within a lxd container.
Regression Potential: This has been upstream since 4.14 (and thus is present in bionic), and the backport to xenial 4.4 was not difficult, so regression potential is low.