[Lxc-users] dropping capabilities

[Trent W. Buck]

richard -rw- weinberger
<richard.weinberger at gmail.com> writes:

> I'm using lxc to run a few virtual private servers.
> What capabilities are harmful and should be dropped using "lxc.cap.drop"?

FWIW...

Running 10.04 both as the "dom0" and in the containers, I am dropping
the following capabilities.  Basically I started by dropping ALL
capabilities, then twiddled individual caps until <things> worked
again -- which you can see in the commented-out lines.

The "root_squash" ones are a bit like NFS root_squash, which treats root:root
as nobody:nogroup.  They basically broke a lot of "apt-get install foo"
postinst scripts.

I get around upstart wanting sys_admin by adding lxc.mount.entry lines
for proc and sys, and diverting mount/umount/swapon/swapoff and
symlinking them to /bin/true within the guest.  The main reason I did
that was to prevent / being mount -o remount,ro by
/etc/init.d/umountnfs during halt.

    bad_caps=(
        # chown net_admin setgid                 # getty or login
        # net_bind_service net_raw net_broadcast # dhclient
        # setuid                                 # rsyslog
        # sys_chroot                             # openssh-server
        # fowner dac_override dac_read_search    # lots of things (like root_squash)
        audit_control audit_write fsetid ipc_lock ipc_owner kill lease
        linux_immutable mac_admin mac_override mknod setfcap setpcap
        sys_admin sys_boot sys_module sys_nice sys_pacct sys_ptrace
        sys_rawio sys_resource sys_time sys_tty_config )