[lxc-devel] set shmmax for container in lxc-execute
Serge Hallyn
serge.hallyn at canonical.com
Fri Jul 6 14:25:15 UTC 2012
Quoting J. Xiao (jian at linux.vnet.ibm.com):
> I checked all the capabilities are up before opening shmmax file.
> If I seteuid to 0, the open succeeds. There seems to be a difference
> between having a root euid and a regular user having root capabilities
> in terms of writing to shmmax file.
Yup, for sysctl files your uid is checked. A simple program to
demonstrate:
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <sys/capability.h>
#include <errno.h>
void setcaps(void) {
cap_value_t v;
cap_t caps = cap_get_proc();
for (v=0; v<32; v++) {
cap_set_flag(caps, CAP_EFFECTIVE, 1, &v, CAP_SET);
}
cap_set_proc(caps);
}
int main()
{
prctl(PR_SET_KEEPCAPS, 1);
seteuid(1000);
setcaps();
FILE *f = fopen("/proc/sys/kernel/shmmax", "w");
if (f == NULL)
perror("fopen");
else
fclose(f);
printf("I am %d\n", getpid());
sleep(20); // if you want a chance to check /proc/$pid/status
exit(0);
}
More information about the lxc-devel
mailing list