Re: [lxc-devel] [PATCH] Also drop caps in unpriv containers

Stéphane Graber Mon, 05 Jan 2015 04:46:50 -0800

On Mon, Jan 05, 2015 at 12:41:47PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber ([email protected]):
> 
> No objection per se, but can you explain why?  What is the use
> case for this?


Preventing systemd from thinking it's got cap_sys_module.

That's my main use case anyway, also having a lxc.cap.* be silently
discarded just feels weird :)

> 
> > Signed-off-by: Stéphane Graber <[email protected]>
> > ---
> >  src/lxc/conf.c | 22 ++++++++++------------
> >  1 file changed, 10 insertions(+), 12 deletions(-)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 472eb79..72181dd 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler)
> >             return -1;
> >     }
> >  
> > -   if (lxc_list_empty(&lxc_conf->id_map)) {
> > -           if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> > -                   if (!lxc_list_empty(&lxc_conf->caps)) {
> > -                           ERROR("Simultaneously requested dropping and 
> > keeping caps");
> > -                           return -1;
> > -                   }
> > -                   if (dropcaps_except(&lxc_conf->keepcaps)) {
> > -                           ERROR("failed to keep requested caps");
> > -                           return -1;
> > -                   }
> > -           } else if (setup_caps(&lxc_conf->caps)) {
> > -                   ERROR("failed to drop capabilities");
> > +   if (!lxc_list_empty(&lxc_conf->keepcaps)) {
> > +           if (!lxc_list_empty(&lxc_conf->caps)) {
> > +                   ERROR("Simultaneously requested dropping and keeping 
> > caps");
> >                     return -1;
> >             }
> > +           if (dropcaps_except(&lxc_conf->keepcaps)) {
> > +                   ERROR("failed to keep requested caps");
> > +                   return -1;
> > +           }
> > +   } else if (setup_caps(&lxc_conf->caps)) {
> > +           ERROR("failed to drop capabilities");
> > +           return -1;
> >     }
> >  
> >     NOTICE("'%s' is setup.", name);
> > -- 
> > 1.9.1
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > [email protected]
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

signature.asc
Description: Digital signature

_______________________________________________
lxc-devel mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] Also drop caps in unpriv containers

Reply via email to