[lxc-devel] lxc-attach and capabilities
Christian Seiler
christian at iwakd.de
Thu Dec 22 17:17:34 UTC 2011
Hi,
Using kernel 3.1 and the LXC patches[*] to make lxc-attach work, if I
drop capabilities such as CAP_NET_ADMIN from a container, if I access
the container with lxc-attach, I have the full capabilities available
in my host shell, not the limited capabilities of the container.
Is this on purpose? In my opinion the sensible behaviour would be to
acquire the same capabilities as configured for the container. On the
other hand, it could be useful to enter the container and keep the
capabilities if, for example, one wants to reconfigure parts of the
network (which cannot be done directly frome the outside since the
network namespace separates these devices).
The way I see it, the ideal solution would probably be that lxc-attach
drops its capabilities by default (according to the config of the
container specified with the -n option) and that there is an option
(e.g. --keep-capabilities) that overrides this, in case the admin wants
to execute something in the container with elevated privileges.
If you agree with me on the behaviour, I'd be happy to write a patch
that implements this.
Christian
[*] http://lxc.sourceforge.net/patches/linux/3.0.0/3.0.0-lxc1/
Btw. they do not cleanly apply against 3.1 anymore, but can
be trivially modified. And are these patches going to be
merged with the official kernel tree at some point?
More information about the lxc-devel
mailing list