[lxc-devel] Patch: Allow to drop capabilities for container
Daniel Lezcano
dlezcano at fr.ibm.com
Mon Jan 4 12:10:59 UTC 2010
Michael Holzt wrote:
> Hello everyone!
>
> I've written a patch against lxc 0.6.4 which adds a new config keyword
> 'lxc.dropcap'. This keyword allows to specify capabilities which are
> dropped before executing the container binary.
>
> Example:
>
> | # grep dropcap /var/lib/lxc/webhost/config
> | lxc.dropcap = CAP_SYS_CHROOT
> | lxc.dropcap = CAP_MKNOD
> |
> | # lxc-start -n webhost /bin/sh
> | # getpcaps 1
> | Capabilities for : =ep cap_sys_chroot,cap_sys_boot,cap_mknod-ep
>
> I attach the patch to this mail with the hope that it is useful and will be
> merged.
Thanks Michael,
There is a RFC from Andrian Nord which is very similar to your patch
allowing to drop and to keep some capabilities.
http://sourceforge.net/mailarchive/message.php?msg_id=20091117221552.GB32735%40nord.niifaq.ru
A patchset I will comment right now ;)
More information about the lxc-devel
mailing list