Re: [libvirt] [PATCH 4/3] Control LXC capabilities

Serge E. Hallyn wrote: > Quoting Daniel P. Berrange (berrange(a)redhat.com): > >> This patch updates the LXC driver to make use of libcap-ng for managing >> process capabilities. Previously Ryota Ozaki had provided code to remove >> the CAP_BOOT capabilities inside the container, preventing host reboots. >> In addition to that one, I believe we should be removing ability to >> load kernel modules, change the system clock and changing audit/MAC. >> So this patch also clears the following: >> >> CAP_SYS_MODULE, /* No kernel module loading */ >> CAP_SYS_TIME, /* No changing the clock */ >> CAP_AUDIT_CONTROL, /* No messing with auditing */ >> CAP_AUDIT_WRITE, /* No messing with auditing */ >> CAP_MAC_ADMIN, /* No messing with LSM */ >> CAP_MAC_OVERRIDE, /* No messing with LSM */ >> What is going to run inside your container? Turning off the MAC capabilities can seriously limit the programs that can run inside it. If you can't drop CAP_DAC_OVERRIDE or CAP_KILL it's unlikely that it makes sense to drop CAP_MAC_OVERRIDE. Similarly, if you can't drop CAP_FOWNER or CAP_CHOWN you'll probably be ill advised to forgo CAP_MAC_ADMIN.