[lxc-devel] [lxc/master] lxc-alpine: do not drop setfcap

Serge E. Hallyn serge at hallyn.com
Tue Oct 18 16:21:57 UTC 2016


Quoting jirutka on Github (lxc-bot at linuxcontainers.org):
> The following pull request was submitted through Github.
> It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1241
> 
> This e-mail was sent by the LXC bot, direct replies will not reach the author
> unless they happen to be subscribed to this list.
> 
> === Description (from pull-request) ===
> @brauner I’m not entirely sure about this, could you please answer me two questions?
> 
> 1. Am I right that `setfcap` is not a security risk, i.e. it cannot be abused to escape from container to the host system?

No.

> 2. Is it true that `setcap` cannot work in unprivileged containers (i.e. containers that uses user namespace) anyway, only in privileged ones?

> From 64365bc2e95b8a62223d65c160215a465b1b8c03 Mon Sep 17 00:00:00 2001
> From: Jakub Jirutka <jakub at jirutka.cz>
> Date: Tue, 18 Oct 2016 18:09:42 +0200
> Subject: [PATCH] lxc-alpine: do not drop setfcap
> 
> Signed-off-by: Jakub Jirutka <jakub at jirutka.cz>
> ---
>  config/templates/alpine.common.conf.in | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/config/templates/alpine.common.conf.in b/config/templates/alpine.common.conf.in
> index 1be61f7..b344426 100644
> --- a/config/templates/alpine.common.conf.in
> +++ b/config/templates/alpine.common.conf.in
> @@ -8,7 +8,6 @@ lxc.devttydir =
>  lxc.cap.drop = audit_write
>  lxc.cap.drop = ipc_owner
>  lxc.cap.drop = mknod
> -lxc.cap.drop = setfcap
>  lxc.cap.drop = setpcap
>  lxc.cap.drop = sys_nice
>  lxc.cap.drop = sys_pacct

> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list