[libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Serge E. Hallyn
serue at us.ibm.com
Fri May 8 02:04:01 UTC 2009
Quoting Ryota Ozaki (ozaki.ryota at gmail.com):
> Hi Serge,
>
> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue at us.ibm.com> wrote:
> > Quoting Ryota Ozaki (ozaki.ryota at gmail.com):
> >> Hi,
...
> >> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
> >> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
> >> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> >> + "%s", _("failed to drop %s"), caps[i].name);
> >> + return -1;
> >
> > Ideally you should also drop it from pI.
>
> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through
> the fI. Is this understanding right?
Yup.
Of course most tasks run with pI empty, so it seems unlikely that
it would be a problem, but unless the libcap dependecy becomes a
problem, it seems worth making sure that doesn't happen.
thanks,
-serge
More information about the libvir-list
mailing list