
On Wed, Jul 08, 2009 at 01:12:59PM +0100, Daniel P. Berrange wrote:
My previous change to LXC container capabilties setup has a fairly stupid bug in it. The container init process starts off with no capabilities whatsoever :-( This was caused by a bogus capng_lock() call which meant that all capabilities were cleared when the init process was exec'd.
The capng_lock call sets NOROOT & NROOT_LOCKED flags in the process secure bits. This is not neccessary for the init process - we have reduced the bounding set which is sufficient for our security goals. With the capng_lock() call removed, the init process gets its permitted and effective sets filled to match the bounding set which is the desired scenario.
ACK, though feedabck from LXC experts would be welcome :-) Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/