Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Quoting Ryota Ozaki (ozaki.ryota(a)gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue(a)us.ibm.com> wrote:
> Quoting Ryota Ozaki (ozaki.ryota(a)gmail.com):
>> Hi,
...
>> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
>> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
>> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
>> + "%s", _("failed to drop %s"),
caps[i].name);
>> + return -1;
>
> Ideally you should also drop it from pI.
If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
/bin/reboot on and then the user could gain CAP_SYS_BOOT back through
the fI. Is this understanding right?
Yup.
Of course most tasks run with pI empty, so it seems unlikely that
it would be a problem, but unless the libcap dependecy becomes a
problem, it seems worth making sure that doesn't happen.
thanks,
-serge