[libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to prevent rebooting from inside containers
Daniel P. Berrange
berrange at redhat.com
Mon May 11 16:49:02 UTC 2009
On Mon, May 11, 2009 at 05:22:15PM +0100, Daniel P. Berrange wrote:
> On Mon, May 11, 2009 at 05:59:45PM +0200, Matthias Bolte wrote:
> > Hi,
> >
> > I needed to apply the following two small changes to get it compile.
> >
> > On my system (Ubuntu 9.04) I don't have a sys/capability.h header, but
> > a linux/capability.h header as part of the linux-libc-dev package.
>
> That is because sys/capability.h is provided by libcap, not libc.
> I guess you don't have libcap-dev installed.
>
> $ rpm -qf /usr/include/sys/capability.h
> libcap-devel-2.06-4.fc9.i386
>
>
> >
> > diff --git a/src/lxc_container.c b/src/lxc_container.c
> > index 3687750..a2b3051 100644
> > --- a/src/lxc_container.c
> > +++ b/src/lxc_container.c
> > @@ -42,7 +42,7 @@
> > #include <linux/fs.h>
> >
> > #include <sys/prctl.h>
> > -#include <sys/capability.h>
> > +#include <linux/capability.h>
> >
> > #include "virterror_internal.h"
> > #include "logging.h"
>
> NACK to this change.
Actually I take that back. We don't need anything in sys/capability.h, so its
pointless adding a dep on libcap. Lets just use the linux/capability.h header
to get the prctl() definition & constants.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list