[lxc-devel] [lxd/master] container_lxc: keep full capability set

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 469 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180301/62c79306/attachment.bin>
-------------- next part --------------
From ddab67abb831421ed7dcb069f62e5ffaa528fa5d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 1 Mar 2018 17:14:12 +0100
Subject: [PATCH] container_lxc: keep full capability set

Unprivileged container don't need to drop any capabilities. The kernel will
enforce security for us.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/container_lxc.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index eb1236bbe..66cb2aa1a 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -912,15 +912,17 @@ func (c *containerLXC) initLXC(config bool) error {
 		return nil
 	}
 
-	// Base config
-	toDrop := "sys_time sys_module sys_rawio"
-	if !c.state.OS.AppArmorStacking || c.state.OS.AppArmorStacked {
-		toDrop = toDrop + " mac_admin mac_override"
-	}
+	if c.IsPrivileged() {
+		// Base config
+		toDrop := "sys_time sys_module sys_rawio"
+		if !c.state.OS.AppArmorStacking || c.state.OS.AppArmorStacked {
+			toDrop = toDrop + " mac_admin mac_override"
+		}
 
-	err = lxcSetConfigItem(cc, "lxc.cap.drop", toDrop)
-	if err != nil {
-		return err
+		err = lxcSetConfigItem(cc, "lxc.cap.drop", toDrop)
+		if err != nil {
+			return err
+		}
 	}
 
 	// Set an appropriate /proc, /sys/ and /sys/fs/cgroup