[lxc-devel] File capability can not pass to process inside container

Mon Aug 15 16:04:53 UTC 2016

Working on an embedded system with customized Linux kernel based on 3.14
and lxc-2.0.0. The Kernel has been configured to support file capability.
The lxc-checkconfig reports kernel configured for file capability
correctly.

*# lxc-checkconfig*
*--- Namespaces ---*
*Namespaces: enabled*
*Utsname namespace: enabled*
*Ipc namespace: enabled*
*Pid namespace: enabled*
*User namespace: enabled*
*Network namespace: enabled*
*Multiple /dev/pts instances: enabled*

*--- Control groups ---*
*Cgroup: enabled*
*Cgroup clone_children flag: enabled*
*Cgroup device: enabled*
*Cgroup sched: enabled*
*Cgroup cpu account: enabled*
*Cgroup memory controller: enabled*
*Cgroup cpuset: enabled*

*--- Misc ---*
*Veth pair device: enabled*
*Macvlan: missing*
*Vlan: missing*
*Bridges: enabled*
*Advanced netfilter: enabled*
*CONFIG_NF_NAT_IPV4: enabled*
*CONFIG_NF_NAT_IPV6: enabled*
*CONFIG_IP_NF_TARGET_MASQUERADE: enabled*
*CONFIG_IP6_NF_TARGET_MASQUERADE: enabled*
*CONFIG_NETFILTER_XT_TARGET_CHECKSUM: missing*
*FUSE (for use with lxcfs): enabled*

*--- Checkpoint/Restore ---*
*checkpoint restore: missing*
*CONFIG_FHANDLE: enabled*
*CONFIG_EVENTFD: enabled*
*CONFIG_EPOLL: enabled*
*CONFIG_UNIX_DIAG: missing*
*CONFIG_INET_DIAG: enabled*
*CONFIG_PACKET_DIAG: missing*
*CONFIG_NETLINK_DIAG: missing*
*File capabilities: enabled*

*Note : Before booting a new kernel, you can check its configuration*
*usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig*

In fact, the file capability works inside host.
Here is execution in host;
dropRootPrivilege is a wrapper function which call prctl with SECURE_NOROOT
to make root as no privilege user.
*# getcap /usr/bin/tmp.sh*
*/usr/bin/tmp.sh = cap_net_raw+ep*
*#  ./dropRootPrivilege  "tmp.sh" 2 &*
*# cat /proc/21992/task/21992/status*
*CapInh: 0000000000000000*
*CapPrm: 0000000000002000*
*CapEff: 0000000000002000*
*CapBnd: 0000001fffffffff*

However, the same function execute inside container, tmp.sh's file
capability does not take effect. All effective and permitted privilege is
zero.
Executed inside container:
*~ # getcap /usr/bin/tmp.sh*
*/usr/bin/tmp.sh = cap_net_raw+ep*

*~ # dropRootPrivilege  "tmp.sh" 2 &*

*~ # cat /proc/380/task/380/status*
*CapInh: 0000000000000000*
*CapPrm: 0000000000000000*
*CapEff: 0000000000000000*
*CapBnd: 00000000882135c0*

The process (which executes tmp.sh) did not get the cap_net_raw capability.
Also, the lx configuration file has the following capabilities:
lxc.cap.keep = none
lxc.cap.keep = net_admin
lxc.cap.keep = net_raw
lxc.cap.keep = setgid
lxc.cap.keep = setuid
lxc.cap.keep = mknod
lxc.cap.keep = sys_admin
lxc.cap.keep = sys_module
#lxc.cap.keep = sys_nice
lxc.cap.keep = net_bind_service
lxc.cap.keep = setpcap
lxc.cap.keep = setfcap
Even I enabled all the capability, the running process still can not get
the file capability.

Here is the questions:
1) Does the lxc-2.0.0 supports file capability? If not, is there way make
it works.
If yes, any suggestions on how I should debug this issue?
2) For Linux kernel 3.14, what kind of configuration shall be selected to
support lxc container file capability?
Already have the following kernel setting:
*CONFIG_SECURITY=y*
*CONFIG_SECURITY_CAPABILITIES=y*
*CONFIG_SECURITY_FILE_CAPABILITIES=y*
*CONFIG_EXT4_FS_SECURITY=y*

*CONFIG_EXT4_FS_XATTR=y*

*CONFIG_EXT4_FS_SECURITY=y*

*CONFIG_CGROUP_FREEZER=y*
*CONFIG_CGROUP_DEVICE=y*
*CONFIG_CPUSETS=y*
*CONFIG_PROC_PID_CPUSET=y*
*CONFIG_CGROUP_CPUACCT=y*
*CONFIG_RESOURCE_COUNTERS=y*
*CONFIG_MEMCG=y*
*CONFIG_MEMCG_KMEM=y*
*CONFIG_MEM_OWNER=y*
*CONFIG_CGROUP_SCHED=y*
*CONFIG_RT_GROUP_SCHED=y*
*CONFIG_FAIR_GROUP_SCHED=y*
*CONFIG_NAMESPACES=y*
*CONFIG_USER_NS=y*
*CONFIG_PID_NS=y*
*CONFIG_UTS_NS=y*
*CONFIG_IPC_NS=y*
*CONFIG_NET_NS=y*

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160815/22a5df27/attachment-0001.html>