[Lxc-users] dropping capabilities

richard -rw- weinberger richard.weinberger at gmail.com
Mon Oct 4 16:18:27 UTC 2010


On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
<richard.weinberger at gmail.com> wrote:
> I'm using lxc to run a few virtual private servers.
> What capabilities are harmful and should be dropped using "lxc.cap.drop"?

Is my question too trivial or too stupid? ;)

Here what i know so far:

CAP_AUDIT_CONTROL:
  should be dropped
CAP_AUDIT_WRITE:
  should be dropped
CAP_CHOWN:
  is ok
CAP_DAC_OVERRIDE:
  is ok
CAP_DAC_READ_SEARCH
  is ok
CAP_FOWNER
  is ok
CAP_FSETID
  is ok
CAP_IPC_LOCK
  is ok
CAP_IPC_OWNER
  is ok
CAP_KILL
  is ok
CAP_LEASE
  is ok
CAP_LINUX_IMMUTABLE
  is ok
CAP_MAC_ADMIN
  should be dropped
CAP_MAC_OVERRIDE
  should be dropped
CAP_MKNOD
  should be dropped
CAP_NET_ADMIN
  is ok
CAP_NET_BIND_SERVICE
  is ok
CAP_NET_BROADCAST
  is ok
CAP_NET_RAW
  ok?
CAP_SETGID
  is ok
CAP_SETFCAP
  should be dropped
CAP_SETPCAP
  should be dropped
CAP_SETUID
  is ok
CAP_SYS_ADMIN
  should be dropped
CAP_SYS_BOOT
  should be dropped
CAP_SYS_CHROOT
  should be dropped
CAP_SYS_MODULE
  should be dropped
CAP_SYS_NICE
  should be dropped
CAP_SYS_PACCT
  should be dropped
CAP_SYS_PTRACE
  is ok
CAP_SYS_RAWIO
  should be dropped
CAP_SYS_RESOURCE
  should be dropped
CAP_SYS_TIME
  should be dropped
CAP_SYS_TTY_CONFIG
  should be dropped

Thanks!

-- 
Cheers,
//richard




More information about the lxc-users mailing list