Re: lxc capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 08, 2011 at 03:34:48PM +0000, Daniel P. Berrange wrote:
> On Thu, Dec 08, 2011 at 07:14:41AM -0800, Chris Haumesser wrote:
> > Chris Haumesser wrote:
> > > Am I misinterpreting the output of getpcaps then? (getpcaps is rather
> > > undocumented).
> > 
> > Answering my own question, I was misinterpreting the output of getpcaps.
> > I found the cap_from_text(3) man page, which explained the output format.
> > 
> > I still don't understand why I was able to reboot the host from within a
> > container, however.
> 
> Well I just confirmed (the hard way!) that you are correct. It is possible
> to reboot the host from inside the container, despire CAP_SYS_REBOOT
> being blocked. I'll try & figure out how that's happening/possible...

It is obvious in retrospect. If you have a container which is sharing
the host OS's root filesystem, then it can see the host's /dev which
contains a /dev/initctrl FIFO pipe. The 'reboot' command can tell the
host OS to shutdown via that pipe, thus lack of CAP_SYS_REBOOT is
irrelevant.

Since this is a FIFO and not a blockdev/chardev we can't use cgroups
to prevent access to /dev/initctrl. The only reliable way is to wait
for the kernel's user namespace stuff.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux