[lxc-devel] [PATCH] lxc-attach: Consider cgroup, personality and capabilities when attaching processes to a container
Christian Seiler
christian at iwakd.de
Fri Feb 3 12:54:17 UTC 2012
Hi,
As I didn't hear anything on this issue, I looked at it more closely and
found found that not only are capabilities currently not dropped from
withing lxc, but also the personality is not set correctly and the newly
started process is not put in the correct cgroup (circumventing e.g. device
restrictions!) when using lxc-attach.
I've now created a set of patches that now make sure that every attached
process is now
- in the correct cgroup of the container
- has the correct personality set
- drops its capabilities
I also added the -f and -s switches to lxc-attach, because it now needs to
read the same configuration file as lxc-start to determine the capabilities
and personality. Additionally, lxc-attach now has a -k switch, which will
inhibit it from dropping the capabilities, so an administrator from the
outside may use this to reconfigure things in the container which he now may
not have been able to.
I hope you are agreeable to this improvement being merged.
Thanks,
Christian
PS: I already didn't get any reply to my previous email: Is there any
progress on pushing the last few patches required for lxc-attach to work to
the upstream Linux kernel?
More information about the lxc-devel
mailing list