[libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Daniel P. Berrange
berrange at redhat.com
Tue Jun 23 13:21:53 UTC 2009
On Fri, May 08, 2009 at 12:43:19PM +0900, Ryota Ozaki wrote:
> Hi Serge,
>
> On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn <serue at us.ibm.com> wrote:
> > Quoting Ryota Ozaki (ozaki.ryota at gmail.com):
> >> Hi Serge,
> >>
> >> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue at us.ibm.com> wrote:
> >> > Quoting Ryota Ozaki (ozaki.ryota at gmail.com):
> >> >> Hi,
> >
> > ...
> >
> >> >> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
> >> >> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
> >> >> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> >> >> + "%s", _("failed to drop %s"), caps[i].name);
> >> >> + return -1;
> >> >
> >> > Ideally you should also drop it from pI.
> >>
> >> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
> >> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through
> >> the fI. Is this understanding right?
> >
> > Yup.
> >
> > Of course most tasks run with pI empty, so it seems unlikely that
> > it would be a problem, but unless the libcap dependecy becomes a
> > problem, it seems worth making sure that doesn't happen.
>
> Oh, I slightly misread your suggestions, sorry. You are suggesting making
> sure requires dropping a capability in both bounding set AND pI of a process
> and to do so we need an additional package (libcap2 or somewhat) because
> prctl(2) doesn't have the function to drop pI, aren't you?
>
> um, I hope my patch is sufficient as a first step, but ok, I'll try to implement
> the function to drop pI as well and confirm whether it is feasible for libvirt.
The patch I have just posted should take care of this issue with pI
http://www.redhat.com/archives/libvir-list/2009-June/msg00413.html
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list