[libvirt] [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace
Daniel P. Berrange
berrange at redhat.com
Tue Jun 25 10:04:27 UTC 2013
On Tue, Jun 25, 2013 at 09:47:13AM +0200, Richard Weinberger wrote:
> Am 13.06.2013 20:02, schrieb Richard Weinberger:
> > Dropping capabilities within a user namespace makes no sense
> > because any uid 0 process will regain all caps upon execve().
> >
> > Signed-off-by: Richard Weinberger <richard at nod.at>
> > ---
> > src/lxc/lxc_container.c | 21 ++++++++++-----------
> > 1 file changed, 10 insertions(+), 11 deletions(-)
> >
> > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > index 958e20d..4f00420 100644
> > --- a/src/lxc/lxc_container.c
> > +++ b/src/lxc/lxc_container.c
> > @@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
> > return 0;
> > }
> >
> > +static int userns_supported(void)
> > +{
> > + return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> > +}
> > +
> > +static int userns_required(virDomainDefPtr def)
> > +{
> > + return def->idmap.uidmap && def->idmap.gidmap;
> > +}
> >
> > /**
> > * lxcContainerChild:
> > @@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data)
> > }
> >
> > /* drop a set of root capabilities */
> > - if (lxcContainerDropCapabilities(!!hasReboot) < 0)
> > + if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0)
> > goto cleanup;
> >
> > if (lxcContainerSendContinue(argv->handshakefd) < 0) {
> > @@ -2025,16 +2034,6 @@ cleanup:
> > return ret;
> > }
> >
> > -static int userns_supported(void)
> > -{
> > - return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> > -}
> > -
> > -static int userns_required(virDomainDefPtr def)
> > -{
> > - return def->idmap.uidmap && def->idmap.gidmap;
> > -}
> > -
> > virArch lxcContainerGetAlt32bitArch(virArch arch)
> > {
> > /* Any Linux 64bit arch which has a 32bit
> >
>
> Any feedback on that one?
I've been away on PTO for 2 weeks, so LXC review/merge got delayed.
I'm looking to get the basic userns stuff merged first, for this
release, then i'll look at followup patches to see what we need
for this release vs next.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list