[lxc-devel] [PATCH 1/2] allow lxc.cap.keep = none

Dwight Engen dwight.engen at oracle.com
Thu Jun 19 15:39:36 UTC 2014 

On Thu, 19 Jun 2014 14:23:40 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > Commit 1fb86a7c introduced a way to drop capabilities without
> > having to specify them all explicitly. Unfortunately, there is no
> > way to drop them all, as just specifying an empty keep list, ie:
> > 
> >     lxc.cap.keep =
> > 
> > clears the keep list, causing no capabilities to be dropped.
> > 
> > This change allows a special value "none" to be given, which will
> > drop all capabilities. If "none" and some other valid capability
> > are both specified, the "none" is ignored and the valid capability
> > is kept.
> > 
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> 
> The way you have this, if I do
> 
> lxc.cap.keep = sys_admin,none
> 
> then sys_admin will not in fact be dropped.  Is that what we want, or
> do we want 'none' to be an absolute?

Yeah, I'm not sure, which is why I mentioned that behavior. Initially I
thought the syntax maybe should just be

  lxc.cap.keep =

but that would require adding a flag to the logic to know that we'd
seen a .keep (since the list would be empty) and gives it a meaning
other than just "empty the keep list". Adding a none was a simple way
to get us into the .keep logic instead of the .drop logic. Another
alternative is to just not allow none and any other cap. I'm fine to
implement whatever way we think makes the most sense.

> > ---
> >  doc/lxc.container.conf.sgml.in | 3 ++-
> >  src/lxc/conf.c                 | 6 ++++++
> >  2 files changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/doc/lxc.container.conf.sgml.in
> > b/doc/lxc.container.conf.sgml.in index 30fe4a8..63e3f26 100644
> > --- a/doc/lxc.container.conf.sgml.in
> > +++ b/doc/lxc.container.conf.sgml.in
> > @@ -1010,7 +1010,8 @@ proc proc proc nodev,noexec,nosuid 0 0
> >  	  <listitem>
> >  	    <para>
> >  	      Specify the capability to be kept in the container.
> > All other
> > -	      capabilities will be dropped.
> > +	      capabilities will be dropped. A special value of
> > "none" means
> > +	      lxc will drop all capabilities.
> >  	    </para>
> >  	  </listitem>
> >  	</varlistentry>
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 4b52550..ad09036 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
> >  	char *ptr = NULL;
> >  	int i, capid = -1;
> >  
> > +	if (!strcmp(cap, "none"))
> > +		return -2;
> > +
> >  	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++)
> > { 
> >  		if (strcmp(cap, caps_opt[i].name))
> > @@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list
> > *caps) 
> >  		capid = parse_cap(keep_entry);
> >  
> > +		if (capid == -2)
> > +			continue;
> > +
> >  	        if (capid < 0) {
> >  			ERROR("unknown capability %s", keep_entry);
> >  			return -1;
> > -- 
> > 1.9.3
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list