[Lxc-users] Jumping out of a read-only bind mount container

Nirmal Guhan vavatutu at gmail.com
Tue Feb 8 01:03:09 UTC 2011


On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan <andre at digirati.com.br> wrote:
> On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote:
>> So far, for a container running apache and cron, plus the usual stuff
>> (init, getty, login), I managed to drop these:
>>
>>   audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner,
>>   lease, linux_immutable, mac_admin, mac_override, mknod, net_raw,
>>   setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice,
>>   sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time,
>>   sys_tty_config
>>
>> So far everything seems to be working, but possibly some more will have
>> to be removed from the list.
>
> Ping needs net_raw on Ubuntu.
>
>

In mycase, I need to disable some sysctl from container. For eg,
sysctl -w kernel.randomize_va_space (for ASLR)

Am still able to do the above after dropping SYS_ADMIN. How do I go
about figuring capability vs functionality mapping.
~nirmal




More information about the lxc-users mailing list