[lxc-users] unprivileged container + setcap not working
Philip
ultrafit67 at gmail.com
Fri Dec 15 03:36:32 UTC 2017
Please ignore step 4, lxc.id_map only allow ONE uid/gid, so
lxc_switch_uid_gid will fail
On Fri, Dec 15, 2017 at 10:17 AM Philip <ultrafit67 at gmail.com> wrote:
> Hi,
>
> I want to use unprivileged container + setcap to set limited capabilities,
> but can not success, here is my test (lxc-1.0.8 and lxc-2.0.8):
>
> testapp:
> int ret = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> fprintf(stderr, "socket ret %d, %s\n", ret, strerror(errno));
>
> 1. add net_raw capability
> setcap cap_net_admin,cap_net_raw=eip ./testapp
>
> 2. switch to uid 2000, execute testapp
> $ ./testapp
> socket ret 3, Success
>
> 3. use unprivileged container to run testapp
> lxc config:
> lxc.network.type = none
> lxc.id_map = u 0 2000 1
> lxc.id_map = g 0 2000 1
>
> sudo lxc-execute -n testapp -f config -P /files/testapp
> ....
> socket ret -1, Operation not permitted
>
> 4. using lxc-2.0.8, add init_uid/init_gid
> lxc.init_uid = 2000
> lxc.init_gid = 2000
>
> lxc-execute: utils.c: lxc_switch_uid_gid: 2069 Invalid argument - Failed
> to switch to gid 2000.
>
> Can anyone help, what is going wrong?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20171215/883a9b85/attachment.html>
More information about the lxc-users
mailing list