[libvirt] [PATCH 4/3] Control LXC capabilities
Daniel Veillard
veillard at redhat.com
Tue Jun 23 13:48:21 UTC 2009
On Tue, Jun 23, 2009 at 12:02:12PM +0100, Daniel P. Berrange wrote:
> This patch updates the LXC driver to make use of libcap-ng for managing
> process capabilities. Previously Ryota Ozaki had provided code to remove
> the CAP_BOOT capabilities inside the container, preventing host reboots.
> In addition to that one, I believe we should be removing ability to
> load kernel modules, change the system clock and changing audit/MAC.
> So this patch also clears the following:
>
> CAP_SYS_MODULE, /* No kernel module loading */
> CAP_SYS_TIME, /* No changing the clock */
> CAP_AUDIT_CONTROL, /* No messing with auditing */
> CAP_AUDIT_WRITE, /* No messing with auditing */
> CAP_MAC_ADMIN, /* No messing with LSM */
> CAP_MAC_OVERRIDE, /* No messing with LSM */
>
> We use libcap-ng's capng_updatev/apply functions to remove these from
> the permitted, inheritable, effective and bounding sets. Then we use
> capng_lock to set NOROOT and NOROOT_LOCKED in the process securebits
> to prevent them ever being re-acquired.
>
> The other thing I realized is that the 'libvirt_lxc' controller process
> does not need to keep any capabilities at all once it has spawned the
> container process, since all its doing is forwarding I/O between 2 open
> file descripts. So I also clear all capabilities from that. We should
> probably make it chuid/gid to a non-root user in future too.
Looks fine to me, but LXC experts should chime in I think :-)
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list