Hi Serge,
On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
>> Hi Serge,
>>
>> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
>> > Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
>> >> Hi,
>
> ...
>
>> >> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
>> >> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
>> >> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
>> >> + "%s", _("failed to drop %s"), caps[i].name);
>> >> + return -1;
>> >
>> > Ideally you should also drop it from pI.
>>
>> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
>> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through
>> the fI. Is this understanding right?
>
> Yup.
>
> Of course most tasks run with pI empty, so it seems unlikely that
> it would be a problem, but unless the libcap dependecy becomes a
> problem, it seems worth making sure that doesn't happen.
Oh, I slightly misread your suggestions, sorry. You are suggesting making
sure requires dropping a capability in both bounding set AND pI of a process
and to do so we need an additional package (libcap2 or somewhat) because
prctl(2) doesn't have the function to drop pI, aren't you?
um, I hope my patch is sufficient as a first step, but ok, I'll try to implement
the function to drop pI as well and confirm whether it is feasible for libvirt.
Thanks,
ozaki-r
>
> thanks,
> -serge
>
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list