[libvirt] [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace
Daniel P. Berrange
berrange at redhat.com
Tue Jun 25 22:09:26 UTC 2013
On Tue, Jun 25, 2013 at 11:52:58PM +0200, Richard Weinberger wrote:
> Am 25.06.2013 22:36, schrieb Daniel P. Berrange:
> > On Thu, Jun 13, 2013 at 08:02:17PM +0200, Richard Weinberger wrote:
> >> Dropping capabilities within a user namespace makes no sense
> >> because any uid 0 process will regain all caps upon execve().
> >
> > That is true, except for the fact that libvirt has removed the
> > capabilities from the bounding set too. This prevents them being
> > regained upon execve.
>
> Are you sure that this applies also for user namespaces?
The only thing that namespaces changes it that When you clone()
with CLONE_NEWUSER set, the child procss will get initialized
with the full set of capabilities, regardless of what the parent
had. Thereafter all the normal rules about manipulation of
capabilities apply, including the bounding set.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list