Am 13.06.2013 20:02, schrieb Richard Weinberger:
> Dropping capabilities within a user namespace makes no sense
> because any uid 0 process will regain all caps upon execve().
>
> Signed-off-by: Richard Weinberger <richard@xxxxxx>
> ---
> src/lxc/lxc_container.c | 21 ++++++++++-----------
> 1 file changed, 10 insertions(+), 11 deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 958e20d..4f00420 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
> return 0;
> }
>
> +static int userns_supported(void)
> +{
> + return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> +}
> +
> +static int userns_required(virDomainDefPtr def)
> +{
> + return def->idmap.uidmap && def->idmap.gidmap;
> +}
>
> /**
> * lxcContainerChild:
> @@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data)
> }
>
> /* drop a set of root capabilities */
> - if (lxcContainerDropCapabilities(!!hasReboot) < 0)
> + if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0)
> goto cleanup;
>
> if (lxcContainerSendContinue(argv->handshakefd) < 0) {
> @@ -2025,16 +2034,6 @@ cleanup:
> return ret;
> }
>
> -static int userns_supported(void)
> -{
> - return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> -}
> -
> -static int userns_required(virDomainDefPtr def)
> -{
> - return def->idmap.uidmap && def->idmap.gidmap;
> -}
> -
> virArch lxcContainerGetAlt32bitArch(virArch arch)
> {
> /* Any Linux 64bit arch which has a 32bit
>
Any feedback on that one?
Thanks,
//richard
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list