mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-29 17:33:09 +00:00
drop CAP_SYS_BOOT capability from LXC containers
* src/lxc_container.c: drop LXC CAP_SYS_BOOT capability to avoid reboot from inside containers, patch by Ryota Ozaki Daniel
This commit is contained in:
parent
0c8a9d2d51
commit
9959a1dd9d
@ -1,3 +1,8 @@
|
|||||||
|
Mon May 11 16:03:37 CEST 2009 Daniel Veillard <veillard@redhat.com>
|
||||||
|
|
||||||
|
* src/lxc_container.c: drop LXC CAP_SYS_BOOT capability to avoid
|
||||||
|
reboot from inside containers, patch by Ryota Ozaki
|
||||||
|
|
||||||
Mon May 11 09:51:00 EDT 2009 Cole Robinson <crobinso@redhat.com>
|
Mon May 11 09:51:00 EDT 2009 Cole Robinson <crobinso@redhat.com>
|
||||||
|
|
||||||
* src/qemu_driver.c : Check that QEMU is still alive while
|
* src/qemu_driver.c : Check that QEMU is still alive while
|
||||||
|
@ -41,6 +41,9 @@
|
|||||||
/* For MS_MOVE */
|
/* For MS_MOVE */
|
||||||
#include <linux/fs.h>
|
#include <linux/fs.h>
|
||||||
|
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
#include <sys/capability.h>
|
||||||
|
|
||||||
#include "virterror_internal.h"
|
#include "virterror_internal.h"
|
||||||
#include "logging.h"
|
#include "logging.h"
|
||||||
#include "lxc_container.h"
|
#include "lxc_container.h"
|
||||||
@ -639,6 +642,29 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
|
|||||||
return lxcContainerSetupExtraMounts(vmDef);
|
return lxcContainerSetupExtraMounts(vmDef);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int lxcContainerDropCapabilities( virDomainDefPtr vmDef )
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
const struct {
|
||||||
|
int id;
|
||||||
|
const char *name;
|
||||||
|
} caps[] = {
|
||||||
|
#define ID_STRING(name) name, #name
|
||||||
|
{ ID_STRING(CAP_SYS_BOOT) },
|
||||||
|
};
|
||||||
|
|
||||||
|
for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
|
||||||
|
if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
|
||||||
|
lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("failed to drop %s"), caps[i].name);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* lxcChild:
|
* lxcChild:
|
||||||
* @argv: Pointer to container arguments
|
* @argv: Pointer to container arguments
|
||||||
@ -705,6 +731,10 @@ static int lxcContainerChild( void *data )
|
|||||||
if (lxcContainerEnableInterfaces(argv->nveths, argv->veths) < 0)
|
if (lxcContainerEnableInterfaces(argv->nveths, argv->veths) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
/* drop a set of root capabilities */
|
||||||
|
if (lxcContainerDropCapabilities(vmDef) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
/* this function will only return if an error occured */
|
/* this function will only return if an error occured */
|
||||||
return lxcContainerExecInit(vmDef);
|
return lxcContainerExecInit(vmDef);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user