[lxc-devel] [PATCH RFC] introduce lxc.cap.keep
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jul 3 05:19:46 UTC 2013
Quoting Qiang Huang (h.huangqiang at huawei.com):
> On 2013/7/3 11:23, Serge Hallyn wrote:
> > Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> >> The lxc configuration file currently supports 'lxc.cap.drop', a list of
> >> capabilities to be dropped (using the bounding set) from the container.
> >> The problem with this is that over time new capabilities are added. So
> >> an older container configuration file may, over time, become insecure.
> >>
> >> Walter has in the past suggested replacing lxc.cap.drop with
> >> lxc.cap.preserve, which would have the inverse sense - any capabilities
> >> in that set would be kept, any others would be dropped.
> >>
> >> Realistically both have the same problem - the sendmail capabilities
> >> bug proved that running code with unexpectedly dropped privilege can be
> >> dangerous. This patch gives the admin a choice: You can use either
> >> lxc.cap.keep or lxc.cap.drop, not both.
>
> What if someone use them both?
Then you get
ERROR("Simultaneously requested dropping and keeping caps");
> I don't see too much help from this patch, and this introduce some
> confusion :(
Walter's idea was that if you want to give a container only
CAP_SYS_TIME, so you explicitly blacklist all the others, and then you
update to a new kernel which introduces a new capability, then you'll
end up with more capabilities in the container than you'd wanted.
The idea has both merits and flaws. But if noone else actually wants
to use this, then I prefer not to add it, as it's one more code path
to risk getting stale and buggy over time.
thanks,
-serge
More information about the lxc-devel
mailing list