[lxc-devel] [PATCH] Improve capability handling in LXC
Christian Seiler
christian at iwakd.de
Wed Feb 1 16:12:07 UTC 2012
Hi,
I've attached patches that improve capability handling in LXC. I stumbled
upon the issue that I wanted to deactivate "dmesg" from inside containers
with a fairly recent kernel. Instead of dropping CAP_SYS_ADMIN, as it was
the case with previous kernel versions, one is now supposed to drop
CAP_SYSLOG. Unfortunately, LXC doesn't know about it yet.
The attached patches do the following:
- add CAP_SYSLOG and CAP_WAKE_ALARM to the list of capabilities, since
they are new
- add a function that determines the maximum number of capabilities the
current running kernel (not the one LXC is compiled against) supports
- support the specification of numerical IDs for capabilities when using
lxc.cap.drop. Then, even if LXC doesn't understand the capability or
was compiled against an older kernel, it is still possible to drop that
specific capability.
Christian
More information about the lxc-devel
mailing list