Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn <serue(a)us.ibm.com&gt; wrote: > Quoting Ryota Ozaki (ozaki.ryota(a)gmail.com): >> Hi Serge, >> >> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue(a)us.ibm.com&gt; wrote: >> > Quoting Ryota Ozaki (ozaki.ryota(a)gmail.com): >> >> Hi, > > ... > >> >> +    for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) { >> >> +        if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { >> >> +            lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, >> >> +                     "%s", _("failed to drop %s"), caps[i].name); >> >> +            return -1; >> > >> > Ideally you should also drop it from pI. >> >> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of >> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through >> the fI. Is this understanding right? > > Yup. > > Of course most tasks run with pI empty, so it seems unlikely that > it would be a problem, but unless the libcap dependecy becomes a > problem, it seems worth making sure that doesn't happen. Oh, I slightly misread your suggestions, sorry. You are suggesting making sure requires dropping a capability in both bounding set AND pI of a process and to do so we need an additional package (libcap2 or somewhat) because prctl(2) doesn't have the function to drop pI, aren't you?

um, I hope my patch is sufficient as a first step, but ok, I'll try to implement the function to drop pI as well and confirm whether it is feasible for libvirt.