Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
> Hi Serge,
>
> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> > Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
> >> Hi,
...
> >> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
> >> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
> >> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> >> + "%s", _("failed to drop %s"), caps[i].name);
> >> + return -1;
> >
> > Ideally you should also drop it from pI.
>
> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through
> the fI. Is this understanding right?
Yup.
Of course most tasks run with pI empty, so it seems unlikely that
it would be a problem, but unless the libcap dependecy becomes a
problem, it seems worth making sure that doesn't happen.
thanks,
-serge
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list