Working on an embedded system with customized Linux kernel based on 3.14 and lxc-2.0.0. The Kernel has been configured to support file capability. The lxc-checkconfig reports kernel configured for file capability correctly.
*# lxc-checkconfig* *--- Namespaces ---* *Namespaces: enabled* *Utsname namespace: enabled* *Ipc namespace: enabled* *Pid namespace: enabled* *User namespace: enabled* *Network namespace: enabled* *Multiple /dev/pts instances: enabled* *--- Control groups ---* *Cgroup: enabled* *Cgroup clone_children flag: enabled* *Cgroup device: enabled* *Cgroup sched: enabled* *Cgroup cpu account: enabled* *Cgroup memory controller: enabled* *Cgroup cpuset: enabled* *--- Misc ---* *Veth pair device: enabled* *Macvlan: missing* *Vlan: missing* *Bridges: enabled* *Advanced netfilter: enabled* *CONFIG_NF_NAT_IPV4: enabled* *CONFIG_NF_NAT_IPV6: enabled* *CONFIG_IP_NF_TARGET_MASQUERADE: enabled* *CONFIG_IP6_NF_TARGET_MASQUERADE: enabled* *CONFIG_NETFILTER_XT_TARGET_CHECKSUM: missing* *FUSE (for use with lxcfs): enabled* *--- Checkpoint/Restore ---* *checkpoint restore: missing* *CONFIG_FHANDLE: enabled* *CONFIG_EVENTFD: enabled* *CONFIG_EPOLL: enabled* *CONFIG_UNIX_DIAG: missing* *CONFIG_INET_DIAG: enabled* *CONFIG_PACKET_DIAG: missing* *CONFIG_NETLINK_DIAG: missing* *File capabilities: enabled* *Note : Before booting a new kernel, you can check its configuration* *usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig* In fact, the file capability works inside host. Here is execution in host; dropRootPrivilege is a wrapper function which call prctl with SECURE_NOROOT to make root as no privilege user. *# getcap /usr/bin/tmp.sh* */usr/bin/tmp.sh = cap_net_raw+ep* *# ./dropRootPrivilege "tmp.sh" 2 &* *# cat /proc/21992/task/21992/status* *CapInh: 0000000000000000* *CapPrm: 0000000000002000* *CapEff: 0000000000002000* *CapBnd: 0000001fffffffff* However, the same function execute inside container, tmp.sh's file capability does not take effect. All effective and permitted privilege is zero. Executed inside container: *~ # getcap /usr/bin/tmp.sh* */usr/bin/tmp.sh = cap_net_raw+ep* *~ # dropRootPrivilege "tmp.sh" 2 &* *~ # cat /proc/380/task/380/status* *CapInh: 0000000000000000* *CapPrm: 0000000000000000* *CapEff: 0000000000000000* *CapBnd: 00000000882135c0* The process (which executes tmp.sh) did not get the cap_net_raw capability. Also, the lx configuration file has the following capabilities: lxc.cap.keep = none lxc.cap.keep = net_admin lxc.cap.keep = net_raw lxc.cap.keep = setgid lxc.cap.keep = setuid lxc.cap.keep = mknod lxc.cap.keep = sys_admin lxc.cap.keep = sys_module #lxc.cap.keep = sys_nice lxc.cap.keep = net_bind_service lxc.cap.keep = setpcap lxc.cap.keep = setfcap Even I enabled all the capability, the running process still can not get the file capability. Here is the questions: 1) Does the lxc-2.0.0 supports file capability? If not, is there way make it works. If yes, any suggestions on how I should debug this issue? 2) For Linux kernel 3.14, what kind of configuration shall be selected to support lxc container file capability? Already have the following kernel setting: *CONFIG_SECURITY=y* *CONFIG_SECURITY_CAPABILITIES=y* *CONFIG_SECURITY_FILE_CAPABILITIES=y* *CONFIG_EXT4_FS_SECURITY=y* *CONFIG_EXT4_FS_XATTR=y* *CONFIG_EXT4_FS_SECURITY=y* *CONFIG_CGROUP_FREEZER=y* *CONFIG_CGROUP_DEVICE=y* *CONFIG_CPUSETS=y* *CONFIG_PROC_PID_CPUSET=y* *CONFIG_CGROUP_CPUACCT=y* *CONFIG_RESOURCE_COUNTERS=y* *CONFIG_MEMCG=y* *CONFIG_MEMCG_KMEM=y* *CONFIG_MEM_OWNER=y* *CONFIG_CGROUP_SCHED=y* *CONFIG_RT_GROUP_SCHED=y* *CONFIG_FAIR_GROUP_SCHED=y* *CONFIG_NAMESPACES=y* *CONFIG_USER_NS=y* *CONFIG_PID_NS=y* *CONFIG_UTS_NS=y* *CONFIG_IPC_NS=y* *CONFIG_NET_NS=y* Thanks!
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
