git.proxmox.com Git - mirror_lxc.git/commit

author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Fri, 14 Jun 2013 03:43:01 +0000 (22:43 -0500)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Thu, 5 Sep 2013 22:20:59 +0000 (17:20 -0500)
commit	1fb86a7cdc22d22b14d03eb0cbd1aa6702862dd4
tree	da4feb14889672641f40fabe4c0d5f0adf52a9f3	tree
parent	59d66af29da6ca8c5fa8cb63a5bbfc443811bb81	commit \| diff

introduce lxc.cap.keep

The lxc configuration file currently supports 'lxc.cap.drop', a list of
capabilities to be dropped (using the bounding set) from the container.
The problem with this is that over time new capabilities are added. So
an older container configuration file may, over time, become insecure.

Walter has in the past suggested replacing lxc.cap.drop with
lxc.cap.preserve, which would have the inverse sense - any capabilities
in that set would be kept, any others would be dropped.

Realistically both have the same problem - the sendmail capabilities
bug proved that running code with unexpectedly dropped privilege can be
dangerous. This patch gives the admin a choice: You can use either
lxc.cap.keep or lxc.cap.drop, not both.

Both continue to be ignored if a user namespace is in use.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

doc/lxc.conf.sgml.in		diff \| blob \| blame \| history
src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/lxc/confile.c		diff \| blob \| blame \| history