[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [RFC PATCH 1/2] LXC: Drop capabilities only if we're not within a user namespace



Am 13.06.2013 20:02, schrieb Richard Weinberger:
> Dropping capabilities within a user namespace makes no sense
> because any uid 0 process will regain all caps upon execve().
> 
> Signed-off-by: Richard Weinberger <richard nod at>
> ---
>  src/lxc/lxc_container.c | 21 ++++++++++-----------
>  1 file changed, 10 insertions(+), 11 deletions(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 958e20d..4f00420 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1896,6 +1896,15 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
>      return 0;
>  }
>  
> +static int userns_supported(void)
> +{
> +    return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> +}
> +
> +static int userns_required(virDomainDefPtr def)
> +{
> +    return def->idmap.uidmap && def->idmap.gidmap;
> +}
>  
>  /**
>   * lxcContainerChild:
> @@ -1992,7 +2001,7 @@ static int lxcContainerChild(void *data)
>      }
>  
>      /* drop a set of root capabilities */
> -    if (lxcContainerDropCapabilities(!!hasReboot) < 0)
> +    if (!userns_required(vmDef) && lxcContainerDropCapabilities(!!hasReboot) < 0)
>          goto cleanup;
>  
>      if (lxcContainerSendContinue(argv->handshakefd) < 0) {
> @@ -2025,16 +2034,6 @@ cleanup:
>      return ret;
>  }
>  
> -static int userns_supported(void)
> -{
> -    return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> -}
> -
> -static int userns_required(virDomainDefPtr def)
> -{
> -    return def->idmap.uidmap && def->idmap.gidmap;
> -}
> -
>  virArch lxcContainerGetAlt32bitArch(virArch arch)
>  {
>      /* Any Linux 64bit arch which has a 32bit
> 

Any feedback on that one?

Thanks,
//richard


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]