[lxc-devel] [patch 1/1] drop capabilities
Daniel Lezcano
dlezcano at fr.ibm.com
Thu Jan 14 21:21:48 UTC 2010
Michael Holzt wrote:
>> I've written a patch which adds a new config keyword
>> 'lxc.cap.drop'. This keyword allows to specify capabilities which are
>> dropped before executing the container binary.
>
> This looks like my approach, and more or less my patch (shouldn't there be a
> signed-off-by line with me in it?).
Sorry, I forgot you signed-off-by, but you are author of the patch (that
does not appear in the mail).
Subject: drop capabilities
From: Michael Holzt <lxc at my.fqdn.org>
Hello everyone!
I've written a patch which adds a new config keyword
'lxc.cap.drop'. This keyword allows to specify capabilities which are
dropped before executing the container binary.
Example:
lxc.cap.drop = sys_chroot
lxc.cap.drop = mknod
lxc.cap.drop = sys_module
Reworked-by: Daniel Lezcano <daniel.lezcano at free.fr>
Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
---
> Maybe i've missed part of the discussion but i can't remember that it was
> decided to use this approach. So maybe you can explain?
Sure. There were some discussions around the default values and a 'keep'
capability option. As no decisions was made, I took your patchset to
drop the capabilities and changed the option line with lxc.cap.drop. So
if we decide to add a "keep" capability option, we will add the
lxc.cap.keep option.
Maybe multiple lines is too much and we can change that to:
lxc.cap.drop = sys_chroot mknod sys_module
More information about the lxc-devel
mailing list