On Tue, Jun 23, 2009 at 12:02:12PM +0100, Daniel P. Berrange wrote: > This patch updates the LXC driver to make use of libcap-ng for managing > process capabilities. Previously Ryota Ozaki had provided code to remove > the CAP_BOOT capabilities inside the container, preventing host reboots. > In addition to that one, I believe we should be removing ability to > load kernel modules, change the system clock and changing audit/MAC. > So this patch also clears the following: > > CAP_SYS_MODULE, /* No kernel module loading */ > CAP_SYS_TIME, /* No changing the clock */ > CAP_AUDIT_CONTROL, /* No messing with auditing */ > CAP_AUDIT_WRITE, /* No messing with auditing */ > CAP_MAC_ADMIN, /* No messing with LSM */ > CAP_MAC_OVERRIDE, /* No messing with LSM */ > > We use libcap-ng's capng_updatev/apply functions to remove these from > the permitted, inheritable, effective and bounding sets. Then we use > capng_lock to set NOROOT and NOROOT_LOCKED in the process securebits > to prevent them ever being re-acquired. > > The other thing I realized is that the 'libvirt_lxc' controller process > does not need to keep any capabilities at all once it has spawned the > container process, since all its doing is forwarding I/O between 2 open > file descripts. So I also clear all capabilities from that. We should > probably make it chuid/gid to a non-root user in future too. Looks fine to me, but LXC experts should chime in I think :-) Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list