[lxc-devel] [patch 1/5] Add capability interface

[Amy Griffis]

Daniel Lezcano wrote:  [Tue Jan 05 2010, 04:04:33PM EST]
>Andrian Nord wrote:
>>> As you mentioned it at the beginning, I think it is better to just drop
>>> the capabilities without any default, except for the shutdown
>>> capability. That will make the code simpler, because we won't have to
>>> handle the "keep" case.
>>>
>>> And we let the admin to configure itself the capabilities to drop
>>> (sys_module, time, etc ...), no ?
>>
>>
>> Oh, ok. I'll look into it sometime after. I'm a bit swamped with daily
>> work currently, so maybe tomorrow.
>>
>> Still, I personally think, that 'keep' case is useful enough if you are
>> using common configs - you may drop common capabilities, but then revert
>> this in container that needs this capabilities. I'm using it very often.
>> But if you reject idea of included configs, keep case has no much sense,
>> yes.
>
>The advantage of the 'keep' option I see is, like you did, a lot of
>capabilities removed for the container by default, but with the option
>to keep it if it's too restrictive.
>
>drop only : admin has to write the right configuration each time
>drop / keep : default capabilities are dropped but they can be kept by
>configuration

I think having a default set of capabilities would be a good
thing, as having to supply the entire list could be tedious and
error prone. There is probably a common set of capabilities that
would suit a general use case, and anything else could be easily
tweaked in the config.

It would be helpful though, if there was a tool interface to
query the default list. If I'm reading the patches right, I think
your proposed syntax looks something like this:

lxc.capability = sys_rawio:keep mknod:drop

which would then be applied to the default mask. I think you'd
want some checks for capabilities that must be dropped in order
for the container to work correctly, e.g. sys_boot.

Just my two cents,

Amy