Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, May 08, 2009 at 12:43:19PM +0900, Ryota Ozaki wrote:
> Hi Serge,
> 
> On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> > Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
> >> Hi Serge,
> >>
> >> On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> >> > Quoting Ryota Ozaki (ozaki.ryota@xxxxxxxxx):
> >> >> Hi,
> >
> > ...
> >
> >> >> +    for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
> >> >> +        if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
> >> >> +            lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> >> >> +                     "%s", _("failed to drop %s"), caps[i].name);
> >> >> +            return -1;
> >> >
> >> > Ideally you should also drop it from pI.
> >>
> >> If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
> >> /bin/reboot on and then the user could gain CAP_SYS_BOOT back through
> >> the fI. Is this understanding right?
> >
> > Yup.
> >
> > Of course most tasks run with pI empty, so it seems unlikely that
> > it would be a problem, but unless the libcap dependecy becomes a
> > problem, it seems worth making sure that doesn't happen.
> 
> Oh, I slightly misread your suggestions, sorry. You are suggesting making
> sure requires dropping a capability in both bounding set AND pI of a process
> and to do so we need an additional package (libcap2 or somewhat) because
> prctl(2) doesn't have the function to drop pI, aren't you?
> 
> um, I hope my patch is sufficient as a first step, but ok, I'll try to implement
> the function to drop pI as well and confirm whether it is feasible for libvirt.

The patch I have just posted should take care of this issue with pI

http://www.redhat.com/archives/libvir-list/2009-June/msg00413.html

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]