[lxc-devel] [lxc/lxc] 1fb86a: introduce lxc.cap.keep
GitHub
noreply at github.com
Thu Sep 5 22:22:54 UTC 2013
Branch: refs/heads/staging
Home: https://github.com/lxc/lxc
Commit: 1fb86a7cdc22d22b14d03eb0cbd1aa6702862dd4
https://github.com/lxc/lxc/commit/1fb86a7cdc22d22b14d03eb0cbd1aa6702862dd4
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2013-09-05 (Thu, 05 Sep 2013)
Changed paths:
M doc/lxc.conf.sgml.in
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/confile.c
Log Message:
-----------
introduce lxc.cap.keep
The lxc configuration file currently supports 'lxc.cap.drop', a list of
capabilities to be dropped (using the bounding set) from the container.
The problem with this is that over time new capabilities are added. So
an older container configuration file may, over time, become insecure.
Walter has in the past suggested replacing lxc.cap.drop with
lxc.cap.preserve, which would have the inverse sense - any capabilities
in that set would be kept, any others would be dropped.
Realistically both have the same problem - the sendmail capabilities
bug proved that running code with unexpectedly dropped privilege can be
dangerous. This patch gives the admin a choice: You can use either
lxc.cap.keep or lxc.cap.drop, not both.
Both continue to be ignored if a user namespace is in use.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
More information about the lxc-devel
mailing list