[Lxc-users] dropping capabilities

Daniel Lezcano daniel.lezcano at free.fr
Mon Oct 4 19:51:39 UTC 2010


On 10/04/2010 06:18 PM, richard -rw- weinberger wrote:
> On Sun, Oct 3, 2010 at 9:01 PM, richard -rw- weinberger
> <richard.weinberger at gmail.com>  wrote:
>    
>> I'm using lxc to run a few virtual private servers.
>> What capabilities are harmful and should be dropped using "lxc.cap.drop"?
>>      
> Is my question too trivial or too stupid? ;)
>    

hum, not trivial at all :)

I am not sure there is a default set of capabilities to be dropped.
Certainly some should be dropped like CAP_SYS_MODULE but others will 
depend on what the user expect to do with the container and what scripts 
will be run inside the container.

We have certainly think about the root user inside a container, is it 
secure ? IMO, until the user namespace is not complete, it is not secure.

> Here what i know so far:
>
> CAP_AUDIT_CONTROL:
>    should be dropped
> CAP_AUDIT_WRITE:
>    should be dropped
> CAP_CHOWN:
>    is ok
> CAP_DAC_OVERRIDE:
>    is ok
> CAP_DAC_READ_SEARCH
>    is ok
> CAP_FOWNER
>    is ok
> CAP_FSETID
>    is ok
> CAP_IPC_LOCK
>    is ok
> CAP_IPC_OWNER
>    is ok
> CAP_KILL
>    is ok
> CAP_LEASE
>    is ok
> CAP_LINUX_IMMUTABLE
>    is ok
> CAP_MAC_ADMIN
>    should be dropped
> CAP_MAC_OVERRIDE
>    should be dropped
> CAP_MKNOD
>    should be dropped
> CAP_NET_ADMIN
>    is ok
> CAP_NET_BIND_SERVICE
>    is ok
> CAP_NET_BROADCAST
>    is ok
> CAP_NET_RAW
>    ok?
>    
yes for the ping command for example.
> CAP_SETGID
>    is ok
> CAP_SETFCAP
>    should be dropped
> CAP_SETPCAP
>    should be dropped
> CAP_SETUID
>    is ok
> CAP_SYS_ADMIN
>    should be dropped
>    
The init process (upstart version) will need this because it mounts 
internally /proc and /sys.
Some other services will need it like automount.
> CAP_SYS_BOOT
>    should be dropped
>    
Always dropped today in the lxc-start code.

> CAP_SYS_CHROOT
>    should be dropped
> CAP_SYS_MODULE
>    should be dropped
> CAP_SYS_NICE
>    should be dropped
>    
The cgroup scheduler will protect the host and the other containers from 
an abusive nice and the cpuset will prevent unauthorized affinity. So it 
is safe to keep it I guess.

> CAP_SYS_PACCT
>    should be dropped
> CAP_SYS_PTRACE
>    is ok
> CAP_SYS_RAWIO
>    should be dropped
> CAP_SYS_RESOURCE
>    should be dropped
> CAP_SYS_TIME
>    should be dropped
>    
yes and ensure /dev/rtc is read-only and protected with the cgroup 
devices whitelist.

> CAP_SYS_TTY_CONFIG
>    should be dropped
>    
I am not sure, won't getty need it ?

Thanks
   -- Daniel






More information about the lxc-users mailing list