[libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to prevent rebooting from inside containers
Daniel P. Berrange
berrange at redhat.com
Mon May 11 16:22:15 UTC 2009
On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
> Hi,
>
> I needed to apply the following two small changes to get it compile.
>
> On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
> a linux/capability.h header as part of the linux-libc-dev package.
That is because sys/capability.h is provided by libcap, not libc.
I guess you don't have libcap-dev installed.
$ rpm -qf /usr/include/sys/capability.h
libcap-devel-2.06-4.fc9.i386
>
> diff --git a/src/lxc_container.c b/src/lxc_container.c
> index 3687750..a2b3051 100644
> --- a/src/lxc_container.c
> +++ b/src/lxc_container.c
> @@ -42,7 +42,7 @@
> #include <linux/fs.h>
>
> #include <sys/prctl.h>
> -#include <sys/capability.h>
> +#include <linux/capability.h>
>
> #include "virterror_internal.h"
> #include "logging.h"
NACK to this change.
> @@ -642,7 +642,7 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
> return lxcContainerSetupExtraMounts(vmDef);
> }
>
> -static int lxcContainerDropCapabilities( virDomainDefPtr vmDef )
> +static int lxcContainerDropCapabilities( virDomainDefPtr vmDef
> ATTRIBUTE_UNUSED )
I committed this fix a little while ago...
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list