[lxc-devel] [PATCH RFC] introduce lxc.cap.keep
Qiang Huang
h.huangqiang at huawei.com
Wed Jul 3 03:50:08 UTC 2013
On 2013/7/3 11:23, Serge Hallyn wrote:
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
>> The lxc configuration file currently supports 'lxc.cap.drop', a list of
>> capabilities to be dropped (using the bounding set) from the container.
>> The problem with this is that over time new capabilities are added. So
>> an older container configuration file may, over time, become insecure.
>>
>> Walter has in the past suggested replacing lxc.cap.drop with
>> lxc.cap.preserve, which would have the inverse sense - any capabilities
>> in that set would be kept, any others would be dropped.
>>
>> Realistically both have the same problem - the sendmail capabilities
>> bug proved that running code with unexpectedly dropped privilege can be
>> dangerous. This patch gives the admin a choice: You can use either
>> lxc.cap.keep or lxc.cap.drop, not both.
What if someone use them both?
I don't see too much help from this patch, and this introduce some
confusion :(
>>
>> Both continue to be ignored if a user namespace is in use.
>
> Does anyone have any comments on this patch?
>
> I still have decide whether, if noone replies, I'll drop it or push
> it.
>
More information about the lxc-devel
mailing list