On Wed, Jul 08, 2009 at 01:12:59PM +0100, Daniel P. Berrange wrote: > My previous change to LXC container capabilties setup has a fairly stupid > bug in it. The container init process starts off with no capabilities > whatsoever :-( This was caused by a bogus capng_lock() call which meant > that all capabilities were cleared when the init process was exec'd. > > The capng_lock call sets NOROOT & NROOT_LOCKED flags in the process > secure bits. This is not neccessary for the init process - we have > reduced the bounding set which is sufficient for our security goals. > With the capng_lock() call removed, the init process gets its permitted > and effective sets filled to match the bounding set which is the desired > scenario. ACK, though feedabck from LXC experts would be welcome :-) Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list