[lxc-devel] [PATCH 1/2] allow lxc.cap.keep = none
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jun 19 16:32:18 UTC 2014
Quoting Dwight Engen (dwight.engen at oracle.com):
> On Thu, 19 Jun 2014 14:23:40 +0000
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>
> > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > Commit 1fb86a7c introduced a way to drop capabilities without
> > > having to specify them all explicitly. Unfortunately, there is no
> > > way to drop them all, as just specifying an empty keep list, ie:
> > >
> > > lxc.cap.keep =
> > >
> > > clears the keep list, causing no capabilities to be dropped.
> > >
> > > This change allows a special value "none" to be given, which will
> > > drop all capabilities. If "none" and some other valid capability
> > > are both specified, the "none" is ignored and the valid capability
> > > is kept.
> > >
> > > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> >
> > The way you have this, if I do
> >
> > lxc.cap.keep = sys_admin,none
> >
> > then sys_admin will not in fact be dropped. Is that what we want, or
> > do we want 'none' to be an absolute?
>
> Yeah, I'm not sure, which is why I mentioned that behavior. Initially I
Sorry I see that now :)
> thought the syntax maybe should just be
>
> lxc.cap.keep =
>
> but that would require adding a flag to the logic to know that we'd
> seen a .keep (since the list would be empty) and gives it a meaning
> other than just "empty the keep list". Adding a none was a simple way
> to get us into the .keep logic instead of the .drop logic. Another
> alternative is to just not allow none and any other cap. I'm fine to
> implement whatever way we think makes the most sense.
To me making none always drop all seems to make more sense.
If you want to make sure you only keep a single cap cap_foo, you *should*
be able to do
lxc.cap.keep =
lxc.cap.keep = foo
right?
More information about the lxc-devel
mailing list