On Wed, Dec 07, 2011 at 12:55:44PM -0800, Chris Haumesser wrote:
> I'm experimenting with the libvirt lxc driver, and wondering if there is
> some way to control the capabilities assigned to the container processes.
>
> With lxc-tools, I can specify a configuration option, lxc.cap.drop,
> which causes the container processes to drop the specified privileges.
>
> My libvirt containers seem to run with
> cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
> which is rather more permissive than I'd like. In particular,
> cap_sys_boot allows a container to reboot the host machine.
I think you have that the wrong way around. The containers run
*without* cap_sys_{module,boot,time,audit_control,mac_admin}.
Any of the remaining capabilities we allow should be safe to use
within the context of a container (well ok, we need the UID/GID
namespace stuff to be finished really for this to be safe). But
we certainly block clearly dangerous things like reboot & module
loading
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
