[lxc-devel] [PATCH] Improve capability handling in LXC
Daniel Lezcano
daniel.lezcano at free.fr
Sun Feb 5 22:17:02 UTC 2012
On 02/01/2012 05:12 PM, Christian Seiler wrote:
> Hi,
>
> I've attached patches that improve capability handling in LXC. I stumbled
> upon the issue that I wanted to deactivate "dmesg" from inside containers
> with a fairly recent kernel. Instead of dropping CAP_SYS_ADMIN, as it was
> the case with previous kernel versions, one is now supposed to drop
> CAP_SYSLOG. Unfortunately, LXC doesn't know about it yet.
>
> The attached patches do the following:
> - add CAP_SYSLOG and CAP_WAKE_ALARM to the list of capabilities, since
> they are new
> - add a function that determines the maximum number of capabilities the
> current running kernel (not the one LXC is compiled against) supports
> - support the specification of numerical IDs for capabilities when using
> lxc.cap.drop. Then, even if LXC doesn't understand the capability or
> was compiled against an older kernel, it is still possible to drop that
> specific capability.
>
Looks good to me.
More information about the lxc-devel
mailing list