[libvirt] [PATCH 3/3] Run all VMs without capabilities
Daniel Veillard
veillard at redhat.com
Tue Jun 23 13:46:34 UTC 2009
On Mon, Jun 22, 2009 at 09:05:24PM +0100, Daniel P. Berrange wrote:
> This patch adds a new flag to virExec() called VIR_EXEC_CLEAR_CAPS.
> If you set this flag than all capabilities are removed inbetween the
> fork() and exec() pair.
>
> It also updates QEMU and UML driver to run their VMs without any privileges.
> A mild security benefit for most distros today, but if distros start to
> lock down what the unprivileged root user can do, this benefit increases.
>
> It also removes all capabilities from the 'ssh' client spawned by the
> remote client, since that shouldn't need any real privileges to open a
> tunnel.
IMHO that and the first patch could be applied as is, even if the
other patches a a bit more subtle, that is simple direct and clear
we don't need to wait for this.
> +#else
> +static int virClearCapabilities(void)
> +{
> +// VIR_WARN0("libcap-ng support not compiled in, unable to clear capabilities");
Hum, to be cleaned up one way or another :-)
ACK
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list