On Wed, Dec 07, 2011 at 12:55:44PM -0800, Chris Haumesser wrote:
I'm experimenting with the libvirt lxc driver, and wondering if
there is
some way to control the capabilities assigned to the container processes.
With lxc-tools, I can specify a configuration option, lxc.cap.drop,
which causes the container processes to drop the specified privileges.
My libvirt containers seem to run with
cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
which is rather more permissive than I'd like. In particular,
cap_sys_boot allows a container to reboot the host machine.
I think you have that the wrong way around. The containers run
*without* cap_sys_{module,boot,time,audit_control,mac_admin}.
Any of the remaining capabilities we allow should be safe to use
within the context of a container (well ok, we need the UID/GID
namespace stuff to be finished really for this to be safe). But
we certainly block clearly dangerous things like reboot & module
loading
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|