[PATCH 0/3] Keeping / Dropping capabilities in lxc containers

Cédric Bosdonnat <cbosdonnat@xxxxxxxx> · Thu, 12 Jun 2014 08:48:24 +0200

Hi all,

I had a request from some users to allow keeping the mknod capability in containers
even thought that may be a security threat for the container and host. After
discussing it with Dan on IRC, here is a patch series that adds a capabilities XML
element in the features section of the domain configuration. It also allows to drop
capabilities that are normally kept.

Coming with this commit are one for the conversion of LXC configuration to domain XML
for the lxc.cap.drop entry, and one commit to extend the documentation.

There is one thing I'm not sure how to do best: I had to list all capabilities into an
enum for the XML config, and I had to map those to the kernel CAP_* defines. Any
improvement idea is welcomed ;)

Cédric Bosdonnat (3):
  lxc: allow to keep or drop capabilities
  lxc domain from xml: convert lxc.cap.drop
  lxc: update doc to mention features/capabilities/* domain
    configuration

 docs/drvlxc.html.in                                |  27 +++
 docs/schemas/domaincommon.rng                      | 196 +++++++++++++++++++++
 src/conf/domain_conf.c                             |  93 +++++++++-
 src/conf/domain_conf.h                             |  47 +++++
 src/libvirt_private.syms                           |   1 +
 src/lxc/lxc_cgroup.c                               |   5 +
 src/lxc/lxc_container.c                            |  90 ++++++++--
 src/lxc/lxc_native.c                               |  27 +++
 tests/domainschemadata/domain-caps-features.xml    |  28 +++
 tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml    |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml   |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-cputune.xml      |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-idmap.xml        |  39 ++++
 .../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-memtune.xml      |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml  |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml    |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml  |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-simple.xml       |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml  |  41 +++++
 20 files changed, 935 insertions(+), 18 deletions(-)
 create mode 100644 tests/domainschemadata/domain-caps-features.xml

-- 
1.8.4.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list