From 80319add5542153146fdaecd46be5549b4397beb Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 26 Sep 2013 21:41:45 +0200 Subject: [PATCH] lxc: Allow set_file_cap capability in container This means you're able to set the bits for capabilities on files inside the container. This is needed for e.g. many fedora packages as they use finegrained capabilities rather than setuid binaries. This is safe as we're not adding capabilities really, since the container is already allowed to create setuid binaries. Setuid binaries are strictly more powerful that any capabilities (as root implies all capabilities). This doesn't mean the container can *gain* capabilities that it doesn't already have though. The actual set of caps are strictly decreasing. --- lxc_template.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc_template.go b/lxc_template.go index b34ff856a2..0e2dfafd47 100644 --- a/lxc_template.go +++ b/lxc_template.go @@ -111,7 +111,7 @@ lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,{{ if ind # (Note: 'lxc.cap.keep' is coming soon and should replace this under the # security principle 'deny all unless explicitly permitted', see # http://sourceforge.net/mailarchive/message.php?msg_id=31054627 ) -lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config +lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config {{end}} # limits