Re: [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Tue, 25 Jun 2013 11:04:27 +0100

On Tue, Jun 25, 2013 at 09:47:13AM +0200, Richard Weinberger wrote:
> Am 13.06.2013 20:02, schrieb Richard Weinberger:
> > Dropping capabilities within a user namespace makes no sense
> > because any uid 0 process will regain all caps upon execve().
> > 
> > Signed-off-by: Richard Weinberger <richard@xxxxxx>
> > ---
> >  src/lxc/lxc_container.c | 21 ++++++++++-----------
> >  1 file changed, 10 insertions(+), 11 deletions(-)
> > 
> > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > index 958e20d..4f00420 100644
> > --- a/src/lxc/lxc_container.c
> > +++ b/src/lxc/lxc_container.c
> > @@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
> >      return 0;
> >  }
> >  
> > +static int userns_supported(void)
> > +{
> > +    return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> > +}
> > +
> > +static int userns_required(virDomainDefPtr def)
> > +{
> > +    return def->idmap.uidmap && def->idmap.gidmap;
> > +}
> >  
> >  /**
> >   * lxcContainerChild:
> > @@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data)
> >      }
> >  
> >      /* drop a set of root capabilities */
> > -    if (lxcContainerDropCapabilities(!!hasReboot) < 0)
> > +    if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0)
> >          goto cleanup;
> >  
> >      if (lxcContainerSendContinue(argv->handshakefd) < 0) {
> > @@ -2025,16 +2034,6 @@ cleanup:
> >      return ret;
> >  }
> >  
> > -static int userns_supported(void)
> > -{
> > -    return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> > -}
> > -
> > -static int userns_required(virDomainDefPtr def)
> > -{
> > -    return def->idmap.uidmap && def->idmap.gidmap;
> > -}
> > -
> >  virArch lxcContainerGetAlt32bitArch(virArch arch)
> >  {
> >      /* Any Linux 64bit arch which has a 32bit
> > 
> 
> Any feedback on that one?

I've been away on PTO for 2 weeks, so LXC review/merge got delayed.
I'm looking to get the basic userns stuff merged first, for this
release, then i'll look at followup patches to see what we need
for this release vs next.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list