Hi, As I didn't hear anything on this issue, I looked at it more closely and found found that not only are capabilities currently not dropped from withing lxc, but also the personality is not set correctly and the newly started process is not put in the correct cgroup (circumventing e.g. device restrictions!) when using lxc-attach.
I've now created a set of patches that now make sure that every attached process is now - in the correct cgroup of the container - has the correct personality set - drops its capabilities I also added the -f and -s switches to lxc-attach, because it now needs to read the same configuration file as lxc-start to determine the capabilities and personality. Additionally, lxc-attach now has a -k switch, which will inhibit it from dropping the capabilities, so an administrator from the outside may use this to reconfigure things in the container which he now may not have been able to. I hope you are agreeable to this improvement being merged. Thanks, Christian PS: I already didn't get any reply to my previous email: Is there any progress on pushing the last few patches required for lxc-attach to work to the upstream Linux kernel? ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
