On 02/03/2012 01:54 PM, Christian Seiler wrote: > Hi, > > As I didn't hear anything on this issue, I looked at it more closely and > found found that not only are capabilities currently not dropped from > withing lxc, but also the personality is not set correctly and the newly > started process is not put in the correct cgroup (circumventing e.g. device > restrictions!) when using lxc-attach. > > I've now created a set of patches that now make sure that every attached > process is now > > - in the correct cgroup of the container > - has the correct personality set > - drops its capabilities > > I also added the -f and -s switches to lxc-attach, because it now needs to > read the same configuration file as lxc-start to determine the capabilities > and personality. Additionally, lxc-attach now has a -k switch, which will > inhibit it from dropping the capabilities, so an administrator from the > outside may use this to reconfigure things in the container which he now may > not have been able to. > > I hope you are agreeable to this improvement being merged.
Hi Christian, thanks for your patches and your analysis. IMO, we have to take into account the process we want to attach could be an admin task and this one may want to have the full permissions within the container. Also that could be an external daemon with the same permissions as the container's processes. So inheriting should be optional as it is up to the administrator to do the right action. The parsing of the configuration file is right at the moment the container has a configuration file and we did not launched the container with the -s lxc.. options, or we did not modify the configuration file after the container is launched. I think it is much more sane to retrieve the needed informations from: * /proc/<pid>/status : for the capabilities * /proc/<pid>/cgroup * /proc/<pid>/personality Where <pid> is the init pid of the container we can get through get_init_pid function. Thanks -- Daniel ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
