Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn <serue@us.ibm.com> wrote:
Quoting Ryota Ozaki (ozaki.ryota@gmail.com):
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue@us.ibm.com> wrote:
Quoting Ryota Ozaki (ozaki.ryota@gmail.com):
Hi,
...
+ for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) { + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) { + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR, + "%s", _("failed to drop %s"), caps[i].name); + return -1;
Ideally you should also drop it from pI.
If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of /bin/reboot on and then the user could gain CAP_SYS_BOOT back through the fI. Is this understanding right?
Yup.
Of course most tasks run with pI empty, so it seems unlikely that it would be a problem, but unless the libcap dependecy becomes a problem, it seems worth making sure that doesn't happen.
Oh, I slightly misread your suggestions, sorry. You are suggesting making sure requires dropping a capability in both bounding set AND pI of a process and to do so we need an additional package (libcap2 or somewhat) because prctl(2) doesn't have the function to drop pI, aren't you? um, I hope my patch is sufficient as a first step, but ok, I'll try to implement the function to drop pI as well and confirm whether it is feasible for libvirt. Thanks, ozaki-r
thanks, -serge