[lxc-devel] [PATCH] lxc-attach: elevate specific privileges

Serge Hallyn serge.hallyn at ubuntu.com
Wed Nov 20 16:55:06 UTC 2013


Quoting Christian Seiler (christian at iwakd.de):
> Hi,
> 
> assuming this compiles and does the right thing at runtime (I haven't
> had time to test it, but from reading the source it looks fine) and
> as discussed in this thread you will slightly improve it later:
> 
> Am 20.11.2013 15:07, schrieb Nikola Kotur:
> > There are scenarios in which we want to execute process with specific
> > privileges elevated.
> >
> > An example for this might be executing a process inside the container
> > securely, with capabilities dropped, but not in container's cgroup so
> > that we can have per process restrictions inside single container.
> >
> > Similar to namespaces, privileges to be elevated can be OR'd:
> >
> >     lxc-attach --elevated-privileges='CAP|CGROUP' ...
> >
> > Backward compatibility with previous versions is retained. In case no
> > privileges are specified behaviour is the same as before: all of them
> > are elevated.
> >
> > Signed-off-by: Nikola Kotur <kotnick at gmail.com>
> 
> Acked-By: Christian Seiler <christian at iwakd.de>

Thanks, guys, applied.




More information about the lxc-devel mailing list