Serge E. Hallyn wrote: > Quoting Daniel Lezcano ([EMAIL PROTECTED]): >> Daniel Hokka Zakrisson wrote: >>> Daniel Lezcano wrote: >>> >>> Wouldn't it be better to simply remove CAP_SYS_BOOT from containers >>> until sys_reboot emits some signal to userspace to restart/halt the >>> container? (This is what we do in Linux-VServer.) >> Ok, I will try, thanks. >> >> BTW, isn't possible that a process gave CAP_SYS_BOOT capability again to >> himself and being able to shutdown the host ? I guess I should remove >> CAP_SETPCAP too, no ? > > No, remove it from your bounding set. You can never add bits back to > that set. prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT);
Tested with lxc and debian minimal, I can halt/shutdown the container from inside. Cool ! Thanks. -- Daniel _______________________________________________ Containers mailing list [EMAIL PROTECTED] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
