Quoting Daniel Lezcano (dlezcano@xxxxxxxxxx): > Daniel Hokka Zakrisson wrote: > > Daniel Lezcano wrote: > > > > Wouldn't it be better to simply remove CAP_SYS_BOOT from containers > > until sys_reboot emits some signal to userspace to restart/halt the > > container? (This is what we do in Linux-VServer.) > > Ok, I will try, thanks. > > BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to > himself and being able to shutdown the host ? I guess I should remove > CAP_SETPCAP too, no ? No, remove it from your bounding set. You can never add bits back to that set. prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT); -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
