Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote: Added capabilities in the features section of LXC domains configuration. This section can contain elements named after the capabilities like: mknod state=on/, keep CAP_MKNOD capability sys_chroot state=off/ drop CAP_SYS_CHROOT capability Users can restrict or give more capabilities than the default using this mechanism. --- docs/drvlxc.html.in | 47 + docs/schemas/domaincommon.rng | 207 src/conf/domain_conf.c | 126 - src/conf/domain_conf.h | 56 ++ src/libvirt_private.syms| 3 + src/lxc/lxc_cgroup.c| 8 + src/lxc/lxc_container.c | 241 ++-- src/util/vircgroup.c| 57 +- src/util/vircgroup.h| 2 + tests/domainschemadata/domain-caps-features.xml | 28 +++ 10 files changed, 755 insertions(+), 20 deletions(-) create mode 100644 tests/domainschemadata/domain-caps-features.xml @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml, def-features[val] = VIR_DOMAIN_FEATURE_STATE_ON; break; +case VIR_DOMAIN_FEATURE_CAPABILITIES: +node = ctxt-node; +ctxt-node = nodes[i]; +if ((tmp = virXPathString(string(./@policy), ctxt))) { +if ((def-features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) { def-features is described as being of type 'enum virTristateSwitch' (was virDomainFeatureState before I pushed the enum cleanup), but you're treating it as 'virDomainCapabilitesPolicy' here. Could you either 1) switch this to virTristateSwitch, using policy='on' / policy='off' instead of allow/deny 2) document that a different enum is used for this feature in domain_conf.h 3) put the policy in a separate variable Thanks, Jan signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
On Wed, 2014-07-23 at 13:23 +0200, Ján Tomko wrote: On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote: Added capabilities in the features section of LXC domains configuration. This section can contain elements named after the capabilities like: mknod state=on/, keep CAP_MKNOD capability sys_chroot state=off/ drop CAP_SYS_CHROOT capability Users can restrict or give more capabilities than the default using this mechanism. --- docs/drvlxc.html.in | 47 + docs/schemas/domaincommon.rng | 207 src/conf/domain_conf.c | 126 - src/conf/domain_conf.h | 56 ++ src/libvirt_private.syms| 3 + src/lxc/lxc_cgroup.c| 8 + src/lxc/lxc_container.c | 241 ++-- src/util/vircgroup.c| 57 +- src/util/vircgroup.h| 2 + tests/domainschemadata/domain-caps-features.xml | 28 +++ 10 files changed, 755 insertions(+), 20 deletions(-) create mode 100644 tests/domainschemadata/domain-caps-features.xml @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml, def-features[val] = VIR_DOMAIN_FEATURE_STATE_ON; break; +case VIR_DOMAIN_FEATURE_CAPABILITIES: +node = ctxt-node; +ctxt-node = nodes[i]; +if ((tmp = virXPathString(string(./@policy), ctxt))) { +if ((def-features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) { def-features is described as being of type 'enum virTristateSwitch' (was virDomainFeatureState before I pushed the enum cleanup), but you're treating it as 'virDomainCapabilitesPolicy' here. Could you either 1) switch this to virTristateSwitch, using policy='on' / policy='off' instead of allow/deny 2) document that a different enum is used for this feature in domain_conf.h Just pushed a commit documenting that in domain_conf.h -- Cedric 3) put the policy in a separate variable Thanks, Jan -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
Added capabilities in the features section of LXC domains configuration. This section can contain elements named after the capabilities like: mknod state=on/, keep CAP_MKNOD capability sys_chroot state=off/ drop CAP_SYS_CHROOT capability Users can restrict or give more capabilities than the default using this mechanism. --- docs/drvlxc.html.in | 47 + docs/schemas/domaincommon.rng | 207 src/conf/domain_conf.c | 126 - src/conf/domain_conf.h | 56 ++ src/libvirt_private.syms| 3 + src/lxc/lxc_cgroup.c| 8 + src/lxc/lxc_container.c | 241 ++-- src/util/vircgroup.c| 57 +- src/util/vircgroup.h| 2 + tests/domainschemadata/domain-caps-features.xml | 28 +++ 10 files changed, 755 insertions(+), 20 deletions(-) create mode 100644 tests/domainschemadata/domain-caps-features.xml diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index fc4bc20..403ce24 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root: lt;/domaingt; /pre +h2a name=capabilitiesAltering the available capabilities/a/h2 + +p +By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD. +However span class=sincesince 1.2.6/span libvirt can be told to keep or +drop some capabilities using a domain configuration like the following: +/p +pre +... +lt;featuresgt; + lt;capabilities policy='default'gt; +lt;mknod state='on'/gt; +lt;sys_chroot state='off'/gt; + lt;/capabilitiesgt; +lt;/featuresgt; +... +/pre +p +The capabilities children elements are named after the capabilities as defined in +codeman 7 capabilities/code. An codeoff/code state tells libvirt to drop the +capability, while an codeon/code state will force to keep the capability even though +this one is dropped by default. +/p +p +The codepolicy/code attribute can be one of codedefault/code, codeallow/code +or codedeny/code. It defines the default rules for capabilities: either keep the +default behavior that is dropping a few selected capabilities, or keep all capabilities +or drop all capabilities. The interest of codeallow/code and codedeny/code is that +they guarantee that all capabilities will be kept (or removed) even if new ones are added +later. +/p +p +The following example, drops all capabilities but CAP_MKNOD: +/p +pre +... +lt;featuresgt; + lt;capabilities policy='deny'gt; +lt;mknod state='on'/gt; + lt;/capabilitiesgt; +lt;/featuresgt; +... +/pre +p +Note that allowing capabilities that are normally dropped by default can seriously +affect the security of the container and the host. +/p h2a name=usageContainer usage / management/a/h2 diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 2caeef9..cf0a66d 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -3798,6 +3798,9 @@ empty/ /element /optional + optional +ref name=capabilities/ + /optional /interleave /element /optional @@ -4370,6 +4373,200 @@ /element /define + !-- Optional capabilities features -- + define name=capabilities +element name=capabilities + ref name=capabilitiespolicy/ + interleave +optional + element name=audit_control +ref name=featurestate/ + /element +/optional +optional + element name=audit_write +ref name=featurestate/ + /element +/optional +optional + element name=block_suspend +ref name=featurestate/ + /element +/optional +optional + element name=chown +ref name=featurestate/ + /element +/optional +optional + element name=dac_override +ref name=featurestate/ + /element +/optional +optional + element name=dac_read_search +ref name=featurestate/ + /element +/optional +optional + element name=fowner +ref name=featurestate/ + /element +/optional +optional + element name=fsetid +ref name=featurestate/ + /element +/optional +optional + element name=ipc_lock +ref name=featurestate/ + /element +/optional +optional + element name=ipc_owner +ref name=featurestate/ + /element +/optional +optional + element name=kill +ref name=featurestate/ + /element +/optional +optional + element name=lease +
Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
-Original Message- From: libvir-list-boun...@redhat.com [mailto:libvir-list-boun...@redhat.com] On Behalf Of Cédric Bosdonnat Sent: Friday, July 18, 2014 4:02 PM To: libvir-list@redhat.com Cc: Cédric Bosdonnat Subject: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities Added capabilities in the features section of LXC domains configuration. This section can contain elements named after the capabilities like: mknod state=on/, keep CAP_MKNOD capability sys_chroot state=off/ drop CAP_SYS_CHROOT capability Users can restrict or give more capabilities than the default using this mechanism. --- Reviewed-by: Chen Hanxiao chenhanx...@cn.fujitsu.com -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list