[Lxc-users] dropping capabilities
richard -rw- weinberger
richard.weinberger at gmail.com
Mon Oct 4 16:18:27 UTC 2010
On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
<richard.weinberger at gmail.com> wrote:
> I'm using lxc to run a few virtual private servers.
> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
Is my question too trivial or too stupid? ;)
Here what i know so far:
CAP_AUDIT_CONTROL:
should be dropped
CAP_AUDIT_WRITE:
should be dropped
CAP_CHOWN:
is ok
CAP_DAC_OVERRIDE:
is ok
CAP_DAC_READ_SEARCH
is ok
CAP_FOWNER
is ok
CAP_FSETID
is ok
CAP_IPC_LOCK
is ok
CAP_IPC_OWNER
is ok
CAP_KILL
is ok
CAP_LEASE
is ok
CAP_LINUX_IMMUTABLE
is ok
CAP_MAC_ADMIN
should be dropped
CAP_MAC_OVERRIDE
should be dropped
CAP_MKNOD
should be dropped
CAP_NET_ADMIN
is ok
CAP_NET_BIND_SERVICE
is ok
CAP_NET_BROADCAST
is ok
CAP_NET_RAW
ok?
CAP_SETGID
is ok
CAP_SETFCAP
should be dropped
CAP_SETPCAP
should be dropped
CAP_SETUID
is ok
CAP_SYS_ADMIN
should be dropped
CAP_SYS_BOOT
should be dropped
CAP_SYS_CHROOT
should be dropped
CAP_SYS_MODULE
should be dropped
CAP_SYS_NICE
should be dropped
CAP_SYS_PACCT
should be dropped
CAP_SYS_PTRACE
is ok
CAP_SYS_RAWIO
should be dropped
CAP_SYS_RESOURCE
should be dropped
CAP_SYS_TIME
should be dropped
CAP_SYS_TTY_CONFIG
should be dropped
Thanks!
--
Cheers,
//richard
More information about the lxc-users
mailing list