[lxc-devel] [PATCH 1/2] allow lxc.cap.keep = none

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 19 14:23:40 UTC 2014 

Quoting Dwight Engen (dwight.engen at oracle.com):
> Commit 1fb86a7c introduced a way to drop capabilities without having to
> specify them all explicitly. Unfortunately, there is no way to drop them
> all, as just specifying an empty keep list, ie:
> 
>     lxc.cap.keep =
> 
> clears the keep list, causing no capabilities to be dropped.
> 
> This change allows a special value "none" to be given, which will drop
> all capabilities. If "none" and some other valid capability are both
> specified, the "none" is ignored and the valid capability is kept.
> 
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>

The way you have this, if I do

lxc.cap.keep = sys_admin,none

then sys_admin will not in fact be dropped.  Is that what we want, or
do we want 'none' to be an absolute?

> ---
>  doc/lxc.container.conf.sgml.in | 3 ++-
>  src/lxc/conf.c                 | 6 ++++++
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 30fe4a8..63e3f26 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1010,7 +1010,8 @@ proc proc proc nodev,noexec,nosuid 0 0
>  	  <listitem>
>  	    <para>
>  	      Specify the capability to be kept in the container. All other
> -	      capabilities will be dropped.
> +	      capabilities will be dropped. A special value of "none" means
> +	      lxc will drop all capabilities.
>  	    </para>
>  	  </listitem>
>  	</varlistentry>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 4b52550..ad09036 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
>  	char *ptr = NULL;
>  	int i, capid = -1;
>  
> +	if (!strcmp(cap, "none"))
> +		return -2;
> +
>  	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
>  
>  		if (strcmp(cap, caps_opt[i].name))
> @@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
>  
>  		capid = parse_cap(keep_entry);
>  
> +		if (capid == -2)
> +			continue;
> +
>  	        if (capid < 0) {
>  			ERROR("unknown capability %s", keep_entry);
>  			return -1;
> -- 
> 1.9.3
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list