Re: [libvirt] [PATCH 4/3] Control LXC capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 23, 2009 at 12:02:12PM +0100, Daniel P. Berrange wrote:
> This patch updates the LXC driver to make use of libcap-ng for managing
> process capabilities. Previously Ryota Ozaki had provided code to remove
> the CAP_BOOT  capabilities inside the container, preventing host reboots.
> In addition to that one, I believe we should be removing ability to
> load kernel modules, change the system clock and changing audit/MAC.
> So this patch also clears the following:
> 
>      CAP_SYS_MODULE, /* No kernel module loading */
>      CAP_SYS_TIME, /* No changing the clock */
>      CAP_AUDIT_CONTROL, /* No messing with auditing */
>      CAP_AUDIT_WRITE, /* No messing with auditing */
>      CAP_MAC_ADMIN, /* No messing with LSM */
>      CAP_MAC_OVERRIDE, /* No messing with LSM */
> 
> We use libcap-ng's capng_updatev/apply functions to remove these from 
> the permitted, inheritable, effective and bounding sets. Then we use
> capng_lock to set NOROOT and NOROOT_LOCKED in the process securebits
> to prevent them ever being re-acquired.
> 
> The other thing I realized is that the 'libvirt_lxc' controller process
> does not need to keep any capabilities at all once it has spawned the 
> container process, since all its doing is forwarding I/O between 2 open
> file descripts. So I also clear all capabilities from that. We should
> probably make it chuid/gid to a non-root user in future too. 

  Looks fine to me, but LXC experts should chime in I think :-)

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@xxxxxxxxxxxx  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]