[Lxc-users] Cannot Set Xattr Security.* Inside an LXC Container

chris.hayes at proporta.com chris.hayes at proporta.com
Thu Aug 8 22:03:58 UTC 2013


On Thu, 08 Aug 2013 22:37:55 +0100, chris.hayes at proporta.com wrote:
> Hi,
>
> I'm unable to set extended attributes in the 'security' namespace
> inside an LXC container. It can set attributes in the 'user' 
> namespace
> without any issue. Outside the container (on the host operating
> system) I can set either of these using setfattr or attr without
> issue.
>
> I'm using version 0.8.0 of LXC from the packages in Debian Wheezy. Is
> there any workaround for this, anything that I can do would be very
> greatly appreciated.

OK, I see that the CAP_SYS_ADMIN controls this, and I can comment out 
the lxc.cap.drop declaration that disables these capabilities in order 
do what I need to do.

Looking at the list of things that it controls, it doesn't look too 
bad; if anything I'm mostly worried that it might accidentally set the 
hostname of the parent box rather than ripping a massive hole in my 
security. Can anyone provide me with some context/insight into this?

Maybe there's a way to limit it to just the special xattr namespaces?

Cheers,
Chris Hayes

>
> Thanks,
> Chris Hayes




More information about the lxc-users mailing list