On Thu, Dec 08, 2011 at 03:34:48PM +0000, Daniel P. Berrange wrote:
On Thu, Dec 08, 2011 at 07:14:41AM -0800, Chris Haumesser wrote:
> Chris Haumesser wrote:
> > Am I misinterpreting the output of getpcaps then? (getpcaps is rather
> > undocumented).
>
> Answering my own question, I was misinterpreting the output of getpcaps.
> I found the cap_from_text(3) man page, which explained the output format.
>
> I still don't understand why I was able to reboot the host from within a
> container, however.
Well I just confirmed (the hard way!) that you are correct. It is possible
to reboot the host from inside the container, despire CAP_SYS_REBOOT
being blocked. I'll try & figure out how that's happening/possible...
It is obvious in retrospect. If you have a container which is sharing
the host OS's root filesystem, then it can see the host's /dev which
contains a /dev/initctrl FIFO pipe. The 'reboot' command can tell the
host OS to shutdown via that pipe, thus lack of CAP_SYS_REBOOT is
irrelevant.
Since this is a FIFO and not a blockdev/chardev we can't use cgroups
to prevent access to /dev/initctrl. The only reliable way is to wait
for the kernel's user namespace stuff.
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|