[lxc-devel] [lxd/master] container_lxc: keep full capability set
brauner on Github
lxc-bot at linuxcontainers.org
Thu Mar 1 16:16:07 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 469 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180301/62c79306/attachment.bin>
-------------- next part --------------
From ddab67abb831421ed7dcb069f62e5ffaa528fa5d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 1 Mar 2018 17:14:12 +0100
Subject: [PATCH] container_lxc: keep full capability set
Unprivileged container don't need to drop any capabilities. The kernel will
enforce security for us.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/container_lxc.go | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index eb1236bbe..66cb2aa1a 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -912,15 +912,17 @@ func (c *containerLXC) initLXC(config bool) error {
return nil
}
- // Base config
- toDrop := "sys_time sys_module sys_rawio"
- if !c.state.OS.AppArmorStacking || c.state.OS.AppArmorStacked {
- toDrop = toDrop + " mac_admin mac_override"
- }
+ if c.IsPrivileged() {
+ // Base config
+ toDrop := "sys_time sys_module sys_rawio"
+ if !c.state.OS.AppArmorStacking || c.state.OS.AppArmorStacked {
+ toDrop = toDrop + " mac_admin mac_override"
+ }
- err = lxcSetConfigItem(cc, "lxc.cap.drop", toDrop)
- if err != nil {
- return err
+ err = lxcSetConfigItem(cc, "lxc.cap.drop", toDrop)
+ if err != nil {
+ return err
+ }
}
// Set an appropriate /proc, /sys/ and /sys/fs/cgroup
More information about the lxc-devel
mailing list