[lxc-devel] [PATCH 2/2] don't force dropping capabilities in lxc-init

Dwight Engen dwight.engen at oracle.com
Thu Jun 19 13:01:26 UTC 2014 

Commit 0af683cf added clearing of capabilities to lxc-init, but only
after lxc_setup_fs() was done, likely so that the mounting done in
that routine wouldn't fail.

However, in my testing lxc_caps_reset() wasn't really effective
anyway since it did not clear the bounding set. Adding prctl
PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I
don't think its necessary to forcefully clear all capabilities since
users can now specify lxc.cap.keep = none to drop all capabilities.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
 src/lxc/caps.c     | 19 -------------------
 src/lxc/caps.h     |  4 ----
 src/lxc/lxc_init.c |  6 ------
 3 files changed, 29 deletions(-)

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 28bb85e..9f3e96c 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -41,25 +41,6 @@ lxc_log_define(lxc_caps, lxc);
 #define PR_CAPBSET_READ 23
 #endif
 
-int lxc_caps_reset(void)
-{
-	cap_t cap = cap_init();
-	int ret = 0;
-
-	if (!cap) {
-		ERROR("cap_init() failed : %m");
-		return -1;
-	}
-
-	if (cap_set_proc(cap)) {
-		ERROR("cap_set_proc() failed : %m");
-		ret = -1;
-	}
-
-	cap_free(cap);
-	return ret;
-}
-
 int lxc_caps_down(void)
 {
 	cap_t caps;
diff --git a/src/lxc/caps.h b/src/lxc/caps.h
index daa8b61..ac508e3 100644
--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -26,16 +26,12 @@
 #define __LXC_CAPS_H
 
 #if HAVE_SYS_CAPABILITY_H
-extern int lxc_caps_reset(void);
 extern int lxc_caps_down(void);
 extern int lxc_caps_up(void);
 extern int lxc_caps_init(void);
 
 extern int lxc_caps_last_cap(void);
 #else
-static inline int lxc_caps_reset(void) {
-        return 0;
-}
 static inline int lxc_caps_down(void) {
         return 0;
 }
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index b5596a0..5578736 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -104,9 +104,6 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if (lxc_caps_init())
-		exit(EXIT_FAILURE);
-
 	err = lxc_log_init(name, name ? NULL : "none", logpriority,
 			   basename(argv[0]), quiet, lxcpath);
 	if (err < 0)
@@ -168,9 +165,6 @@ int main(int argc, char *argv[])
 
 	lxc_setup_fs();
 
-	if (lxc_caps_reset())
-		exit(EXIT_FAILURE);
-
 	pid = fork();
 
 	if (pid < 0)
-- 
1.9.3

More information about the lxc-devel mailing list