[lxc-devel] [PATCH 2/2] don't force dropping capabilities in lxc-init
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jun 19 14:20:29 UTC 2014
Quoting Dwight Engen (dwight.engen at oracle.com):
> Commit 0af683cf added clearing of capabilities to lxc-init, but only
> after lxc_setup_fs() was done, likely so that the mounting done in
> that routine wouldn't fail.
>
> However, in my testing lxc_caps_reset() wasn't really effective
> anyway since it did not clear the bounding set. Adding prctl
> PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I
> don't think its necessary to forcefully clear all capabilities since
> users can now specify lxc.cap.keep = none to drop all capabilities.
>
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> src/lxc/caps.c | 19 -------------------
> src/lxc/caps.h | 4 ----
> src/lxc/lxc_init.c | 6 ------
> 3 files changed, 29 deletions(-)
>
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 28bb85e..9f3e96c 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -41,25 +41,6 @@ lxc_log_define(lxc_caps, lxc);
> #define PR_CAPBSET_READ 23
> #endif
>
> -int lxc_caps_reset(void)
> -{
> - cap_t cap = cap_init();
> - int ret = 0;
> -
> - if (!cap) {
> - ERROR("cap_init() failed : %m");
> - return -1;
> - }
> -
> - if (cap_set_proc(cap)) {
> - ERROR("cap_set_proc() failed : %m");
> - ret = -1;
> - }
> -
> - cap_free(cap);
> - return ret;
> -}
> -
> int lxc_caps_down(void)
> {
> cap_t caps;
> diff --git a/src/lxc/caps.h b/src/lxc/caps.h
> index daa8b61..ac508e3 100644
> --- a/src/lxc/caps.h
> +++ b/src/lxc/caps.h
> @@ -26,16 +26,12 @@
> #define __LXC_CAPS_H
>
> #if HAVE_SYS_CAPABILITY_H
> -extern int lxc_caps_reset(void);
> extern int lxc_caps_down(void);
> extern int lxc_caps_up(void);
> extern int lxc_caps_init(void);
>
> extern int lxc_caps_last_cap(void);
> #else
> -static inline int lxc_caps_reset(void) {
> - return 0;
> -}
> static inline int lxc_caps_down(void) {
> return 0;
> }
> diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
> index b5596a0..5578736 100644
> --- a/src/lxc/lxc_init.c
> +++ b/src/lxc/lxc_init.c
> @@ -104,9 +104,6 @@ int main(int argc, char *argv[])
> }
> }
>
> - if (lxc_caps_init())
> - exit(EXIT_FAILURE);
> -
> err = lxc_log_init(name, name ? NULL : "none", logpriority,
> basename(argv[0]), quiet, lxcpath);
> if (err < 0)
> @@ -168,9 +165,6 @@ int main(int argc, char *argv[])
>
> lxc_setup_fs();
>
> - if (lxc_caps_reset())
> - exit(EXIT_FAILURE);
> -
> pid = fork();
>
> if (pid < 0)
> --
> 1.9.3
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list