[lxc-devel] [PATCH 1/2] allow lxc.cap.keep = none

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 19 16:32:18 UTC 2014


Quoting Dwight Engen (dwight.engen at oracle.com):
> On Thu, 19 Jun 2014 14:23:40 +0000
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> 
> > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > Commit 1fb86a7c introduced a way to drop capabilities without
> > > having to specify them all explicitly. Unfortunately, there is no
> > > way to drop them all, as just specifying an empty keep list, ie:
> > > 
> > >     lxc.cap.keep =
> > > 
> > > clears the keep list, causing no capabilities to be dropped.
> > > 
> > > This change allows a special value "none" to be given, which will
> > > drop all capabilities. If "none" and some other valid capability
> > > are both specified, the "none" is ignored and the valid capability
> > > is kept.
> > > 
> > > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> > 
> > The way you have this, if I do
> > 
> > lxc.cap.keep = sys_admin,none
> > 
> > then sys_admin will not in fact be dropped.  Is that what we want, or
> > do we want 'none' to be an absolute?
> 
> Yeah, I'm not sure, which is why I mentioned that behavior. Initially I

Sorry I see that now :)

> thought the syntax maybe should just be
> 
>   lxc.cap.keep =
> 
> but that would require adding a flag to the logic to know that we'd
> seen a .keep (since the list would be empty) and gives it a meaning
> other than just "empty the keep list". Adding a none was a simple way
> to get us into the .keep logic instead of the .drop logic. Another
> alternative is to just not allow none and any other cap. I'm fine to
> implement whatever way we think makes the most sense.

To me making none always drop all seems to make more sense.

If you want to make sure you only keep a single cap cap_foo, you *should*
be able to do

lxc.cap.keep =
lxc.cap.keep = foo

right?


More information about the lxc-devel mailing list