[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 4/3] Control LXC capabilities

On Tue, Jun 23, 2009 at 12:02:12PM +0100, Daniel P. Berrange wrote:
> This patch updates the LXC driver to make use of libcap-ng for managing
> process capabilities. Previously Ryota Ozaki had provided code to remove
> the CAP_BOOT  capabilities inside the container, preventing host reboots.
> In addition to that one, I believe we should be removing ability to
> load kernel modules, change the system clock and changing audit/MAC.
> So this patch also clears the following:
>      CAP_SYS_MODULE, /* No kernel module loading */
>      CAP_SYS_TIME, /* No changing the clock */
>      CAP_AUDIT_CONTROL, /* No messing with auditing */
>      CAP_AUDIT_WRITE, /* No messing with auditing */
>      CAP_MAC_ADMIN, /* No messing with LSM */
>      CAP_MAC_OVERRIDE, /* No messing with LSM */
> We use libcap-ng's capng_updatev/apply functions to remove these from 
> the permitted, inheritable, effective and bounding sets. Then we use
> capng_lock to set NOROOT and NOROOT_LOCKED in the process securebits
> to prevent them ever being re-acquired.
> The other thing I realized is that the 'libvirt_lxc' controller process
> does not need to keep any capabilities at all once it has spawned the 
> container process, since all its doing is forwarding I/O between 2 open
> file descripts. So I also clear all capabilities from that. We should
> probably make it chuid/gid to a non-root user in future too. 

  Looks fine to me, but LXC experts should chime in I think :-)


Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]