[lxc-devel] [patch 1/5] Add capability interface

[Daniel Lezcano]

Hi Andrian,

so finally I decided to wake up :)
I apologize for taking so much time to answer :\
I hope you still want to have this patchset merged.

Andrian Nord wrote:
> This adds capabilities.c and capabilities.h files.
> 
> Interface consists of three functions:
> 
> * initialising function - lxc_capabilities_init:
> 	this function runs though hardoded capability name-to-index
> 	mapping array, checking 'initial_state' field, and builds
> 	initial mask according to this array.
> 
> 	Having defaults is a most untrivial question - current default
> 	let container to boot normally and operate properly enough in
> 	most of cases, but restricts all dangerous operations like
> 	module inserting and time changing. But probably this should be
> 	left on system admin's decision (it will also reduce startup
> 	overhead)
> 
> * modification functions - lxc_capabilities_change:
> 	this function rather simple. Usage of bit-mask field instead of
> 	say lxc_list is because lxc_list will consume more memory, while
> 	there is not way of removing static array and looking up through
> 	it - we still need mapping from name to mask, so it will also
> 	slower due to additional overhead on comparsions in list (even
> 	if only dropped values whould be kept).
> 
> * apply function - lxc_capabilities_apply:
> 	this is most problematic function - as I've failed to found a
> 	way of using libcap (I dunno why it's not working, I'll have
> 	more time to investigate some time later) or raw syscalls, here
> 	I'm checking if capability is dropped and then dropping it with
> 	prctl. Usage of direct mask setting would be, of course,
> 	preffered


As you mentioned it at the beginning, I think it is better to just drop 
the capabilities without any default, except for the shutdown 
capability. That will make the code simpler, because we won't have to 
handle the "keep" case.

And we let the admin to configure itself the capabilities to drop 
(sys_module, time, etc ...), no ?