Re: [libvirt] PATCH: Fix LXC container capabilities
On Wed, Jul 08, 2009 at 01:12:59PM +0100, Daniel P. Berrange wrote:
My previous change to LXC container capabilties setup has a fairly
stupid
bug in it. The container init process starts off with no capabilities
whatsoever :-( This was caused by a bogus capng_lock() call which meant
that all capabilities were cleared when the init process was exec'd.
The capng_lock call sets NOROOT & NROOT_LOCKED flags in the process
secure bits. This is not neccessary for the init process - we have
reduced the bounding set which is sufficient for our security goals.
With the capng_lock() call removed, the init process gets its permitted
and effective sets filled to match the bounding set which is the desired
scenario.
ACK, though feedabck from LXC experts would be welcome :-)
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/