[lxc-devel] [PATCH] Also drop caps in unpriv containers
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jan 5 12:41:47 UTC 2015
Quoting Stéphane Graber (stgraber at ubuntu.com):
No objection per se, but can you explain why? What is the use
case for this?
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/conf.c | 22 ++++++++++------------
> 1 file changed, 10 insertions(+), 12 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 472eb79..72181dd 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler)
> return -1;
> }
>
> - if (lxc_list_empty(&lxc_conf->id_map)) {
> - if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> - if (!lxc_list_empty(&lxc_conf->caps)) {
> - ERROR("Simultaneously requested dropping and keeping caps");
> - return -1;
> - }
> - if (dropcaps_except(&lxc_conf->keepcaps)) {
> - ERROR("failed to keep requested caps");
> - return -1;
> - }
> - } else if (setup_caps(&lxc_conf->caps)) {
> - ERROR("failed to drop capabilities");
> + if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> + if (!lxc_list_empty(&lxc_conf->caps)) {
> + ERROR("Simultaneously requested dropping and keeping caps");
> return -1;
> }
> + if (dropcaps_except(&lxc_conf->keepcaps)) {
> + ERROR("failed to keep requested caps");
> + return -1;
> + }
> + } else if (setup_caps(&lxc_conf->caps)) {
> + ERROR("failed to drop capabilities");
> + return -1;
> }
>
> NOTICE("'%s' is setup.", name);
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list